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IRS: REVIEWING ITS LEGAL OBLIGATIONS, 
DOCUMENT PRESERVATION, AND DATA SE- 
CURITY 


Thursday, February 11, 2016 

House of Representatives 
Committee on Oversight and Government Reform 

Washington, D.C. 

The committee met, pursuant to call, at 1:02 p.m., in Room 2154, 
Rayburn Office Building, Hon. Jason Chaffetz [chairman of the 
committee], presiding. 

Present: Representatives Chaffetz, Mica, Jordan, Walberg, 
Amash, DesJarlais, Gowdy, Massie, Meadows, DeSantis, Buck, 
Walker, Blum, Hice, Russell, Carter, Grothman, Hurd, Palmer, 
Cummings, Maloney, Norton, Connolly, Kelly, Watson Coleman, 
Plaskett, DeSaulnier, Boyle, and Welch. 

Chairman Chaffetz. The Committee on Oversight and Govern- 
ment Reform will come to order. Without objection, the chair is au- 
thorized to declare a recess at any time. 

We are here today because the IRS’ current leadership has prov- 
en irresponsible and negligent. The IRS cannot seem to properly 
preserve documents or ensure both privacy and security in accept- 
ing electronic tax returns. The Agency is in desperate need of new 
leadership to put it on a better course. There are already a number 
of examples of IRS incompetence and neglect in the past few years, 
but several incidents in recent weeks have made it clear for the 
need for further serious oversight and meaningful reform. 

As millions of individuals and companies prepare to file tax re- 
turns, the IRS must ensure its data systems are secure. Last sum- 
mer, the IRS suffered a massive hack, leaving the tax information 
of 300-plus thousand individuals exposed. The hackers used that 
information to file fraudulent returns totaling something in the 
neighborhood of $50 million in refunds before the IRS figured out 
what was happening. But it has been well documented billions of 
dollars have inappropriately gone out the door. 

And the facts surrounding the recent events appear very similar. 
On January 25th, 2016, the IRS detected unusual IP traffic on its 
network. This turned out to be a coordinated hot attack or botnet 
aimed at the e-file system. The hackers’ goal was to recover tax- 
payer e-PINs, electronic pins, which would allow them steal re- 
funds of innocent taxpayers. Roughly 450,000 unique social secu- 
rity numbers were used by hackers in at least 950,000 attempts to 
obtain these electronic PIN numbers. All told, the hackers are esti- 
mated to have stolen more than 101,000 of these electronic PIN 
numbers. 
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This latest breach raises serious concerns about the security of 
the system overall as well as the potential for paying out fraudu- 
lent claims, but none of this should surprise the IRS. In the last 
evaluation of the IRS’ information security, the inspector general in 
September of 2015 determined, “Until the IRS takes steps to im- 
prove its security program deficiencies and fully implement all se- 
curity program areas in compliance with FISMA requirements, tax- 
payer data will remain vulnerable to inappropriate and undetected 
use, modification, and disclosure.” It probably does not get any 
worse or dire in terms of a warning. This level of incompetence is 
intolerable for an agency where millions of individuals file their 
most personal financial information. 

We are also here to discuss the failure of the IRS to properly pre- 
serve documents subject to lawsuits, and/or internal preservation 
orders, as well as FOIA requests. We take FOIA very seriously. 
The Freedom of Information Act is the public’s right to know. It 
also allows companies and other organizations to access data so 
they can defend themselves. 

On January 15th of 2016, the Department of Justice disclosed in 
a Federal court filing that the IRS had erased a hard drive belong- 
ing to a former senior Agency employee named Samuel Maruca. 
And if this story sounds similar to things we have heard about 
with Lois Lerner and others, it is, and that makes us sick. It is dis- 
gusting. It has to stop. We are doing everything we can to high- 
light. It is inappropriate, and yet it continues. 

The hard drive contained information subject to FOIA litigation. 
Despite the lawsuit, an internal preservation order, and the legal 
obligation to preserve related documents to the IRS, the IRS wiped 
the hard drive and scheduled it for recycling. This involved a multi- 
billion-dollar issue relating to Microsoft. The hard drive likely sat 
in queue and was wiped up to 4 months after the internal preser- 
vation was ordered. Again, after. Internal preservation in place, 
then the wiping of a hard drive. 

We cannot say for sure to pinpoint the date because the IRS does 
not know when the hard drive was wiped clean. Hard drives. You 
go to Best Buy, you can buy them for less than a hundred bucks. 
In a multibillion-dollar situation, this is what we are talking about, 
but, again, this continues to be familiar. 

In March of 2014, the IRS destroyed backup tapes containing 
Lois Lerner’s emails which were subject to investigation by Con- 
gress, the inspector general, the Department of Justice. There were 
five open investigations, two duly issued subpoenas, and the IRS 
wiped the data. Here we have another case where people properly 
filed FOIA requests, and they wiped it again. This is just 1 month 
after the Agency learned that a significant portion of the Lerner 
emails were missing, and, again, it happened. As it turns out in the 
Maruca case, the IRS, by sheer luck, already copied the hard drive 
because of a different lawsuit. It was not because of competence. 
It was just sheer luck. 

So if you look at the IRS, they have roughly $2.4 billion they 
spent on IT, and it is worthless. Absolutely worthless. 60 to 70 per- 
cent of those funds are spent on legacy systems, preserving old 
things like COBOL and other types of things, but there are still bil- 
lions of dollars in fraud running through the system. 
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We have a situation we are going to talk about today where 
there was a reported hardware failure. The story we got is that 
there was a power outage, but then the redundant power, the 
backup power, it also went out. How does that happen? Why do you 
have redundant power if it also goes out? When we asked through 
questioning about a breach, I put out a tweet pretty quick and said, 
you know, this so-called hardware failure maybe was a breach. We 
start to go and probe and have an investigation. We have a bipar- 
tisan staff talking to the IRS, and then they say, oh, we should 
probably tell you about the breach. What breach? 

If you look at the timeline of this, let us go through this because 
this is just days ago. Our committee. Oversight and Government 
Reform, a week ahead email to the press confirmed that there 
would be a hearing on February 11th relating to IRS document de- 
struction and data security. On February 8th, majority and minor- 
ity committee staff has a call with the IRS regarding the e-filing 
outage and the status of the Maruca hard drive. The IRS gives an 
update on how it planned to recover the hard drive and confirmed 
it had been wiped. After that date, our staff asked about the breach 
referring to the e-filing issue. Mr. Milholland, who is here with us 
today, begins describing the previously unreported and undisclosed 
breach. The IRS legal staff intervened and said that he was talking 
about a different event, so we asked for more information about 
that. 

The next day, February 9th, miraculously in the Wall Street 
Journal, the IRS releases further details regarding the breach in 
another phone call with the majority and minority committee staff, 
and shortly thereafter the IRS releases a statement to the Wall 
Street Journal regarding the breach. If we had not been asking 
about another incident, we would not have known about this inci- 
dent, and it affects over 100,000 people. 

This is a recurring theme. It is totally unacceptable. We look for- 
ward to peppering you with questions, and we expect answers. 

With that I will yield back, and now recognize the ranking mem- 
ber, Mr. Cummings. 

Mr. Cummings. Thank you very much, Mr. Chairman. I always 
try to start out hearings by stating what I think we can all agree 
on. Today I think we can agree that the IRS should have strong 
systems in place to properly preserve Federal records and to pro- 
tect its computer systems from cyberattacks. I think we can agree 
on that, and those are valid goals, and I know that the IRS agrees 
with them. 

However, I do not believe this committee has been serving its in- 
tended purpose when it comes to the IRS generally. Unfortunately, 
Republicans have become obsessed with investigating any and 
every allegation relating to the IRS, no matter how small. I believe 
this is because Republicans were not able to find any evidence to 
support their baseless accusations that the White House conspired 
with Lois Lerner to target conservative groups for political reasons. 
They also were not able to identify any evidence that Commissioner 
Koskinen or any IRS employees destroyed evidence in order to ob- 
struct our investigation. 

For the record, this is our 23rd hearing on the IRS. The 23rd. 
23rd. That is amazing. We have now interviewed 54 witnesses. The 
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IRS commissioner has testified six times, more than any other 
agency has over the past 3 years. The IRS had produced more than 
1.3 million pages of documents from 88 custodians in response 
more than 80 requests for documents. Yet despite this exhaustive 
multi-agency, multi-committee, multiyear investigation, this wild 
goose chase continues, and it has come up empty. 

Last year, the inspector general issued his report and identified 
no evidence to substantiate Republican claims of political motiva- 
tion by the White House or intentional destruction of evidence. 
Specifically, the report found, “No evidence was uncovered that any 
IRS employee had been directed to destroy or hide information 
from Congress, the DOJ, or TIGTA.” 

The Justice Department also conducted an investigation and con- 
cluded that, “Not a single IRS employee reported any allegation, 
concern, or suspicion that the handling of tax exempt applications 
or any other IRS function was motivated by political bias, discrimi- 
natory intent, or corruption.” The Justice Department also found, 
“no evidence that any official involved in the handling of tax ex- 
empt applications or IRS leadership attempted to obstruct justice, 
and no evidence of any deliberate attempt to conceal or destroy in- 
formation.” Amazingly, none of these findings stopped the Repub- 
licans from trying to impeach the IRS commissioner, despite the 
fact that there is no evidence that he intentionally obstructed our 
work or destroyed documents. 

The problem now is that our committee is in a mindset where 
we are just trying to get the IRS, and unfortunately the public does 
not always get a complete or accurate picture as a result. For ex- 
ample, the impetus for today’s hearing was a press report that an 
IRS employee, who was leaving the Agency, had his hard drive 
erased in violation of a court order. However, we received a letter 
from the IRS last week explaining that, in fact, the IRS copied this 
employee’s hard drive first. Another example is the outage the IRS 
experienced last week. The chairman stated that his gut reaction 
was that the outage was, “It really does smell like a hack.” How- 
ever, the IRS has now briefed our committee that, in fact, it was 
due to a mechanical device failure, and there is, “zero percentage 
chance that this was a cyberattack.” 

Yet another example Republicans have focused on is the incident 
involving PIN numbers that occurred in January. What is not men- 
tioned is that, in fact, the IRS successfully blocked the IP addresses 
from which this attack was initiated. As a result, this week the IRS 
confirmed, “No personal taxpayer data was compromised or dis- 
closed by our IRS systems.” These are critical facts, and I hope that 
the public understands them and any press that are here will re- 
peat them. As I said earlier, this is our 23rd hearing on these types 
of allegations against the IRS. 

Imagine instead if we had held 23 hearings on the issue that ac- 
tually matters to the American people. Imagine if we had held 23 
hearings where we brought in drug company officials to explain 
their skyrocketing prices. Now, that is something that we could 
really help our fellow citizens on and would make a big difference. 
Going forward, I hope we will use the resources and the authority 
of this great committee to serve the interests of our constituents. 
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I want to thank our witnesses for being with us today. I look for- 
ward to your testimony. And with that, Mr. Chairman, I yield back. 

Chairman Chaffetz. I thank the gentleman. I will now recognize 
Mr. Jordan of Ohio as the chairman of the Subcommittee on 
Healthcare Benefits and Administrative Rules, and recognize him 
for 5 minutes. 

Mr. Jordan. Thank you, Mr. Chairman. The ranking member 
said Republicans have had 23 hearings where they are “trying to 
get the IRS.” We are not trying to get the IRS. The IRS is trying 
to get conservative Americans who are exercising their 1st Amend- 
ment free speech rights. 23 hearings is a pretty small price to pay 
when you are trying to protect fundamental liberties in the Con- 
stitution, for goodness sake. So I want to thank the chairman for 
this hearing on document preservation, data security. If anyone 
needs it, certainly the IRS needs a lesson in how to preserve docu- 
ments. 

Let me give you a quick little history here. Several years back, 
Brian Downing orders destruction of documents that TIGTA needs 
in their audit. The person who was ordered to destroy the docu- 
ment comes forward as we want whistleblowers to come forward 
when something wrong is going on, comes forward and tells Ste- 
phen Whitlock, the then acting director of the Office of Professional 
Responsibility, and he says just keep destroying the documents. 

Fast forward to 2013. Again, the IRS gets caught with their hand 
in the cookie jar. Lois Lerner’s now famous speech. May 10th, 2013, 
where she goes to the Bar Association, lies to the American people, 
says it was not us, it was just those folks in Cincinnati. Complete 
lie. It was folks in Washington orchestrating this targeting against 
conservative groups. Later that year, later in 2013, Mr. Koskinen 
is brought in to clean up the mess. In fact, the President himself 
said, “He’s the expert at turning around institutions.” 

So what has the turnaround been? The chairman just talked 
about it, right? What has the turnaround been? We had this case 
with Microsoft where an IRS employee, Sam Maruca, his hard 
drive is wiped clean when there is a preservation order in place not 
to destroy any records relative to that court case and that inves- 
tigation. And, of course, the one that I think is most important, Mr. 
Koskinen, brought in as the turnaround expert, learns that Lois 
Lerner’s hard drive has had problems. He waits 2 months before 
he tells Congress and the American people, and, more importantly, 
under his watch, 422 backup tapes are destroyed after there are 
three preservation orders. Three orders, one from Mr. Milholland 
himself, do not destroy anything. And what does the IRS do? Three 
preservation orders, one from the IRS themselves, one from TIGTA, 
one from the Justice Department doing a criminal investigation, 
and two subpoenas from this committee, what does the IRS do? 
They destroy 422 backup tapes containing potentially 24,000 
emails relevant to a congressional investigation and a criminal in- 
vestigation. So there is a pattern here. 

Now, finally, Mr. Chairman, just to add insult to injury, guess 
what the Internal Revenue Service did? That very first example I 
gave you about Mr. Whitlock who said, no, keep destroying the doc- 
uments that the whistleblower came forward and said we are 
doing. Guess what happens? I guess at the IRS if you destroy docu- 
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ments, you get a promotion. Mr. Whitlock was just named head of 
the Office of Professional Responsihility. 

So to the ranking member, I think a 24th hearing with that kind 
of history at this organization is more than warranted, for goodness 
sake. There is a pattern of destroying records, a pattern of destroy- 
ing documents, and, frankly, a pattern of destroying records and 
documents when you have been told not to. Preservation orders 
and whistleblowers coming forward, and yet it continues, and when 
that happens, some people get promoted at the IRS. Of course we 
need this hearing, and I look forward to hearing from our wit- 
nesses. 

Chairman Chaffetz. I thank the gentleman. I will now recognize 
the gentleman from Virginia, Mr. Connolly, for 5 minutes. 

Mr. Connolly. Thank you, Mr. Chairman, and thank you, Mr. 
Ranking Member. 23 hearings on the IRS. You know, when you 
cannot prove it, charge it anyhow. Repeat it. Do it louder. Try to 
suborn the TIGTA to make sure that his audit is limited with di- 
rect advice from you and your staff. Accuse people without facts. 
Hammer it home on your favorite network, and hopefully it will 
sink in and become true even if the facts belie it. 

Chairman Chaffetz. Will the gentleman yield? 

Mr. Connolly. No. I am tired of these hearings. I am tired of 
insinuation. I am tired, frankly, of what looks to a lot of people like 
demagoguery. 

Chairman Chaffetz. Will the gentleman yield? 

Mr. Connolly. No, Mr. Chairman, sadly I will not. I will finish 
my statement. We need the IRS. We need it to be functional. The 
same people that want to pillory you here today for your perform- 
ance do not want to take responsibility for the fact they have 
starved the beast. They have cut a billion dollars from the IRS 
budget, degrading service, making it very difficult for the IRS to 
actually do its job. We leave $350 billion on the table every year, 
taxes owed, but not collected. That could make a big dent in the 
debt. We could reduce the debt over 10 years by $3 and a half tril- 
lion without raising anyone’s taxes and without cutting any essen- 
tial services, but we do not want to do that. 

We do not want to do that because illogically the IRS is such a 
juicy target for our base and making the case that you represent 
the hard knell booted government on our necks. And why in the 
world would we want to do anything to strengthen you? And as a 
result, we have IT systems, according to John Koskinen, that go 
back to the Kennedy Administration. That is 53 years ago. And we 
wonder why things are not totally functional? We wonder why IRS 
is not fully efficient? We wonder why hard drives crash when the 
average age of a computer at IRS with 91,000 employees is 7 years 
plus. In the private sector it is 2 to 3 years. 

So to archive stuff, we have to print and save because we cannot 
trust aging legacy technology systems, and this Congress will not 
reinvest in you to bring you up to the 21st century because that 
would make you more efficient. That actually might make you be 
able to better do your job, and dysfunctionality serves our purposes 
illogically and politically. 

So, yeah, that is why we have 23 hearings, and we demonize peo- 
ple, and we deny them their 5th Amendment rights, and make 
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charges that turn out to be without foundation. It does a disservice 
to this committee, in my opinion, and I have sat through every one 
of these hearings. 

And I began truly concerned. Was this, in fact, going on? Did 
IRS, in fact, target a particular group or philosophy? As the rank- 
ing member said, all of the facts tell us no. Was there ineptitude? 
Was there political tone deafness? Yes. Was there a deliberate at- 
tempt by a Federal agency to target a particular political group or 
set of groups because of their political philosophy? No. And you can 
charge to the contrary all you want, but the evidence trail does not 
tell us that. But it makes for good television, and it riles up the 
base, and it probably raises money, but it is not worthy of the 
Oversight and Government Reform Committee. 

And as the ranking member said, had we spent 23 hearings look- 
ing at price gouging on pharmaceuticals, we actually might have 
improved someone’s life. We might have actually helped some sen- 
iors better afford the drugs they need. We might have made a con- 
tribution to bettering government. But this is a charade. This is 
not about making government better, and it is not even really 
about holding you accountable. I wish it were. It is to pillory you 
for political purpose, and I regret that. 

Now, Mr. Chairman, I do yield. 

Chairman Chaffetz. For you to suggest and try to assign a mo- 
tivation to our attempt here to get at the truth is beneath the gen- 
tleman from Virginia. Name one thing that I said in my opening 
statement that is not true. Name it. You do not have anything. 

Mr. Connolly. You do not have anything, Mr. Chairman. 

Chairman Chaffetz. Yes, I do. 

Mr. Connolly. I reclaim my time. 

Chairman Chaffetz. Will the gentleman yield? 

Mr. Connolly. No. 

Chairman Chaffetz. I have a point I want to make about IT. 

Mr. Connolly. The chairman can use his own time because he 
has got plenty of it, and he is more than prepared to use it. I re- 
verse it. I echo what the ranking member said. I do not think you 
have proof 

Chairman Chaffetz. The gentleman’s time has expired. The 
gentleman’s time has expired. 

Mr. Connolly. Okay, thank you. 

Chairman Chaffetz. With the concurrence with the ranking 
member, I would like to make a point about IT because I think 
that is part of the heart of why we are here today. Is the gen- 
tleman okay with that? 

Mr. Cummings. Go ahead. 

Chairman Chaffetz. I was elected at the same time as President 
Obama, so use that as a marker. The Federal government has 
spent more than $525 billion on IT, and it is worthless. One of the 
questions I have here with an operating budget for the IT sector 
roughly $2.4 billion a year, why is it that we have such poor sys- 
tems? Why is it that we have DOS, and COBOL, and other things? 
We have got good hardworking, patriotic people that work at the 
IRS. We have 4,000 of them in the State of Utah, and they are 
using an old dilapidated system. I do not know how they do it. 
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They try to patch and Band-Aid this thing together, and they can- 
not seem to have enough resources. 

The President puts out a thing saying I need $3 billion more? We 
were only $3 billion short? What happened to the other $525 bil- 
lion? That is a legitimate bipartisan question. It is part of the rea- 
son I am here today. How is it that the IRS goes via the Depart- 
ment of Justice and tells a judge that they do not have these 
records? And it is not until this committee in a bipartisan way with 
the staff says where is this information that miraculously they 
said, oh, we actually do have it. 

That is a legitimate question. It is why we have another hearing. 
I did not even start the week before last thinking we were doing 
an IRS hearing. I yield to the gentleman from Maryland. 

Mr. Cummings. Questions have been raised by the chairman. I 
would hope that you would address those. One of the things that 
all of us, and I know the gentleman from Virginia is one who is 
an expert in IT and has spent a phenomenal amount of time trying 
to make sure our government properly functions effectively and ef- 
ficiently. And the question that the chairman just raised with re- 
gard to the use of old systems when we should be in the modern 
age are questions that, I think, are legitimate questions. 

And so, I look forward to your responses. Does the gentleman 


Mr. Connolly. I would just add to my friend from Maryland, I 
could not agree more that those are legitimate lines of inquiry, but 
they have to be balanced with what has happened to your budget 
so that you can make those investments. Has it gone up or down? 
Has Congress shown a commitment to try to modernize your IT 
systems so that we do not have this kind of problem? Presumably 
we could find common ground. That is non-partisan agreement. 

Chairman Chaffetz. It is in my set of questions and why we are 
having this hearing today. 

Mr. Connolly. Except that it is not. 

Mr. Cummings. Reclaiming my time, Mr. Chairman, I yield back. 

Chairman Chaffetz. I just have to say, and I will give you equal 
time here. For the gentleman to suggest those are not my questions 
and to impugn the motive of any member is totally inappropriate. 

Mr. Connolly. I would simply say I did not impugn anybody’s 
motive. I characterized this hearing and this process, and if the 
gentleman wishes to take exception to that or offense by that 

Chairman Chaffetz. Oh, I take deep exception to it. 

Mr. Connolly. Well, I regret 

Chairman Chaffetz. It is bipartisan. We get equal time, and 
there is a legitimate reason to understand why they go to the De- 
partment of Justice, represent that they do not have the docu- 
ments. We ask for them, and then they miraculously say, oh, yes, 
I guess we do have them. 

Mr. Connolly. I think that the chairman can certainly appre- 
ciate questioning the process and the 23rd hearing on the IRS 
without necessarily personalizing it. The chairman knows I do re- 
spect him, and I certainly made no attempt to try to personalize 
it. But would I characterize this process negatively? Yes. I have 
made no secret of that, and I do not apologize for it, and I do not 
retract it. 
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And it is not impugning you or any other individual to call into 
question that process. That is my right as a member of this com- 
mittee, and I will not be silenced by deliberating trying to person- 
alize it so that the critique somehow is diluted. The critique stands. 
You do not have to agree with it, Mr. Chairman. 

Chairman Chaffetz. I do not. 

Mr. Connolly. But I stand by it. 

Chairman Chaffetz. Let us move on. Let us move on. 

Mr. Connolly. Fine, let us move on. 

Chairman Chafeetz. I am pleased to welcome Mr. Terry 
Milholland, chief technology officer at the Internal Revenue Serv- 
ice, Mr. Jeff Tribiano, deputy commissioner of Operations at the In- 
ternal Revenue Service, and Mr. Ed Killen, Director of Privacy, 
Government Liaison, and Disclosure at the Internal Revenue Serv- 
ice. I appreciate you all being here today. 

If you will, please rise and raise your right hands. 

[Witnesses rise.] 

Chairman Chaffetz. Do you solemnly swear or affirm that the 
testimony you are about to give will be the truth, the whole truth, 
and nothing but the truth, so help you God? 

[Chorus of ayes.] 

Chairman Chafeetz. Thank you. You may be seated. Let the 
record reflect that the witnesses all answered in the affirmative. 

In order to allow time for discussion, we would appreciate it if 
you would limit your oral presentation to 5 minutes. Your entire 
written statement will be made part of the record. Mr. Milholland, 
you are now recognized for 5 minutes. 

WITNESS STATEMENTS 

STATEMENT OF TERENCE MILHOLLAND 

Mr. Milholland. Chairman Chaffetz, Ranking Member Cum- 
mings, members of the committee, my name is Terence Milholland. 
I am the IRS chief technology officer and chief information officer. 
I appreciate the opportunity to testify today. 

In my role at the IRS, I’m responsible for all aspects of the sys- 
tems and data that operate our tax infrastructure. We have a 
7,000-person information technology organization that maintains 
500-plus systems and data, and supports the processing of 200 mil- 
lion tax returns annually. 

Before joining the IRS 7 years ago, I spent 3 decades in the pri- 
vate sector and held a number of information technology leadership 
positions. My experiences included as executive vice president and 
chief technology officer of Visa International. I was also the chief 
information officer and chief technology officer for Electronic Data 
Systems Corporation, and before that the chief information officer 
for the Boeing Company. 

It is an honor for me to serve the public as the IRS CTO, and 
to support the tax system by helping the Service modernize its IT 
systems. 

This concludes my opening statement, and I’d be happy to take 
your questions. 

[Prepared statement of Mr. Milholland follows:] 
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WRITTEN TESTIMONY OF 
THE INTERNAL REVENUE SERVICE 
BEFORE THE 

HOUSE OVERSIGHT AND GOVERNMENT REFORM COMMITTEE 
ON IRS RECORDS MANAGEMENT PROCEDURES 
FEBRUARY 11, 2016 


Chairman Chaffetz, Ranking Member Cummings and Members of the 
Committee, thank you for the opportunity to discuss the IRS’s records 
management procedures. 

The IRS has been working for more than a year to revamp our records retention 
practices in regard to emails and other electronic records. While we have made 
significant progress in this area, we recognize the need to continue improving 
upon these efforts, which are described in more detail below. 

The IRS has long been challenged in this area, because for many years our 
operations have relied on extremely outdated technology. In fact, despite more 
than a decade of upgrades to the agency’s core business systems, we still have 
very old technology running alongside our more modern systems. As a result, 
some agency practices are not up to the level of those of a typical modern 
organization. A case in point is the IRS’s document retention program for 
electronic records, which historically has relied on individual employees either 
archiving information on their computer hard drives and network drives, or 
printing records and storing them in paper files. 

While these methods are in compliance with National Archives and Records 
Administration (NARA) standards, there are still risks and vulnerabilities inherent 
in such a system. Searching individual hard drives to fulfill a document request is 
a labor-intensive, time consuming process. This type of system poses an 
additional complication for the IRS, involving the need to safeguard any taxpayer 
data contained in electronic records created by employees who leave the 
agency. Additionally, computer hard drives are prone to equipment failure 
resulting in data loss, and the management of a large hard-drive inventory 
presents significant logistical challenges, even in the best of circumstances. Our 
standard practice has been to erase departed employees’ hard drives prior to 
reusing or scrapping them. 

The IRS considered putting a more modem electronic records storage system in 
place in 2012, but was unable to do so because of budget constraints. Since 
then, the unprecedented volume and scope of the document requests made by 
Congress and the public in 2013 in regard to the processing of applications for 
tax exempt status highlighted the need for the IRS to continue improving its 
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maintenance of federal records that are in electronic form, to the extent our 
limited funding will allow, 

A key part of our current effort to improve the management and storage of 
electronic records began in October 2014. In this effort, we have been in close 
consultation with NARA to ensure the best approach. Our interim solution has 
been to adopt a process created by NARA, termed the “Capstone" approach, to 
secure the email records of all senior officials in the agency by copying them to 
the network. This process for senior IRS executives was initiated in late 2014 and 
completed for all existing executives in April 2015. As additional executives are 
hired, promoted, or appointed, their email records are saved on the network. 

While adoption of the Capstone approach was an important step fon/vard, it is not 
the ultimate solution for the preservation of electronic records of the agency. We 
need to end any reliance on individual hard drives as an archival records store, 
and instead use network databases to preserve all official records that are 
electronically generated by our workforce - frontline employees as well as 
executives. To reach that end, we are working toward having systems in place by 
the end of Calendar Year (CY) 2016 that will allow us to copy material off the 
hard drive of every employee who leaves the agency, and store that information 
in a digital format. 

As we have continued making improvements for the long term, we recently 
realized the need for additional interim measures, to ensure we are doing 
everything possible to retain official electronic records until we have implemented 
the more comprehensive solution and tested it to ensure it is working as 
intended. 

This need became apparent when an issue arose in connection with the 
Service’s collection and production of documents related to a Freedom of 
Information Act (FOIA) case captioned Microsoft v. IRS. This document collection 
effort has included analyzing the computer hard drives of current and former IRS 
employees who were identified as potentially having information pertinent to the 
case. In December 2014 the IRS implemented a “litigation hold” that covered 
many of the topics and custodians identified by Microsoft. We took this action as 
a proactive measure - not in reaction to a court-issued document preservation 
order or Congressional investigative request - to preserve information that was 
relevant or could become relevant in the future. 

In January of this year, as the IRS was producing information responsive to 
Microsoft’s FOIA request, we advised the Court that we had discovered an issue 
regarding the computer hard drive of Samuel Maruca, a former IRS employee 
whom we identified in this litigation hold effort, but who had separated from the 
Service on August 1, 2014. Shortly after he left the IRS, Mr. Maruca’s hard drive 
was designated for erasure, so that it could be securely reused or scrapped, in 
line with standard IRS procedures. Because Mr. Maruca’s hard drive was 
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designated for erasure before the issuance of our litigation hold, the hold did not 
prevent the erasure of this hard drive, which occurred in late 2014 or early 201 5. 

However, we believe the erasure of Mr. Maruca's hard drive will have minimal 
effect on our ability to complete the necessary document production in this 
instance. We now know that Mr. Maruca’s hard drive was copied on July 16, 
2014, in connection with a document collection being undertaken for separate 
litigation. We have therefore determined that the data stored on his computer 
hard drive as of July 16, 2014, has been preserved. We are in the process of 
searching this data set for information responsive to the Microsoft document 
request, and to fulfill any related obligations. We are also searching emails that 
we copied from Mr. Maruca's network account in July 2014. Particularly given 
that we have the aforementioned copy sets, we do not know, at this point, if we 
will need to access back-up tapes or disaster recovery tapes in order to produce 
documents in the future, but we are prepared to do so if necessary. Backup 
tapes have been preserved for periods after November 2012. 

Although we were fortunate in this instance to have had overlapping litigation 
holds and taken redundant document collection measures, we nonetheless 
recognize that this situation reflected a shortcoming in our document controls. 
Therefore, pending further review of the IRS’s litigation hold procedures, 
Commissioner Koskinen has ordered a halt to the erasure and recycling of all 
employee devices, including computer hard drives and mobile devices, for all 
departing employees. This is in addition to the halt on erasure and reuse of 
disaster recovery tapes backing up our network server, which began in 2013 and 
remains in effect. 

We are also broadening our litigation hold procedures, to ensure that hold 
instructions are provided not only to the pertinent employees, but also to the 
employees’ supervisors. In addition, we will update our procedures for 
processing employees who leave the Service, to ensure that appropriate 
personnel are advised of pending litigation holds and document collection efforts 
involving records in the custody of departing employees. 

It is important to note that the timing of Mr. Maruca’s departure was the main 
issue in this situation, given that it occurred before the IRS began phasing in the 
Capstone approach for the preservation of IRS executives’ emails. Indeed, were 
Mr. Maruca an IRS executive now, his emails would have been copied to the 
network and preserved pursuant to the Capstone approach prior to his departure. 

Longer term, we need to continue making improvements in our processes for 
searching for and producing relevant information. Our goal is to develop 
enhanced search capability for various types of documents, which will allow us to 
respond to Congressional inquiries and FOIA requests more timely, and put us in 
a better position to support e-discovery within civil litigation or government 
investigations. 
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The President’s Fiscal Year (FY) 2017 Budget request for the IRS includes $18,5 
million in additional funding to improve electronic enterprise records 
management, which includes funds to further improve our document search 
capability. The IRS urges Congress to approve this funding, so that we can move 
forward on this critically important initiative. 

Chairman Chaffetz, Ranking Member Cummings and Members of the 
Committee, this concludes the IRS’s statement. 
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Chairman Chaffetz. I thank the gentleman. Mr. Trihiano, you 
are now recognized for 5 minutes. 

STATEMENT OF JEFF TRIBIANO 

Mr. Tribiano. Chairman Chaffetz, Ranking Member Cummings, 
and members of this committee, my name is Jeff Tribiano, and I 
am the deputy commissioner for Operations Support for the IRS. 
I appreciate this opportunity to testify today. 

In my position at the IRS, I oversee internal operations, which 
includes information technology, human capital, finance, privacy, 
procurement, planning, facilities, and security. Prior to joining the 
IRS in June of 2015, I served as the associate administrator and 
chief operating officer of the Department of Agriculture’s Food Nu- 
trition and Consumer Services. And prior to joining the Federal 
government in 2010, I held a number of key leadership positions 
with Fortune 500 companies. In addition, for more than 22 years 
I have served and continue to serve our country as a captain in the 
United States Navy Reserves, to include three mobilizations and 
deployments to the Middle East. 

My experiences in the public sector, private sector, and military 
have given me a deep understanding of the importance of public 
service. I’m especially proud to be part of the leadership team at 
the IRS and to work for an agency with such an important mission. 
In my 8 months at the Agency, I have found this team to be an 
amazing organization filled with dedicated and talented people, 
and I’m privileged to work alongside of them. 

Turning to the subject of today’s hearing, the IRS has been work- 
ing for more than a year to modernize our records retentions prac- 
tices in regard to emails and other electronic records. We are im- 
plementing the National Archives and Records Administration’s 
Capstone approach to managing email, and are working towards 
full implementation by the end of Calendar Year 2016. At that 
point, our systems will permanently preserve the email records of 
all employees in electronic format. 

Our ultimate goal is to end the reliance on computer hard drives 
of individual employees as an archive records store, and instead 
use network databases to preserve all records that are electroni- 
cally generated by the workforce. As we make these improvements 
for the long term, we recognize we need additional interim meas- 
ures to ensure we are doing everything possible to retain official 
records until a more comprehensive solution is in place. 

This need became apparent when an issue arose in connection 
with the Service’s collection and production of documents related to 
a Freedom of Information Act case captioned Microsoft v. the IRS. 
In January of this year, the IRS advised the Court that we had dis- 
covered an issue regarding the computer hard drive of Samuel 
Maruca, a former IRS employee who we identified in a litigation 
hold effort undertaken in December of 2014 in connection with the 
case. 

Shortly after Mr. Maruca left the Service on August 1st, 2014, 
his hard drive was designated for erasure so it could be securely 
reused or scrapped in line with the standard IRS procedures. Be- 
cause Mr. Maruca’s hard drive was designated for erasure before 
the issuance of the litigation hold, the hold did not prevent the era- 
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sure of this hard drive, which occurred in late 2014 or in early 
2015. 

However, we do believe the erasure of Mr. Maruca’s hard drive 
will have minimal effect on our ability to complete document pro- 
duction in this instance. We know that Mr. Maruca’s hard drive 
was copied on July 16th, 2014 in connection with the document col- 
lection being undertaken for a separate litigation. We have, there- 
fore, determined that the data stored on his computer hard drive 
up to July 16th, 2014 has been preserved. We also have emails cop- 
ied on Mr. Maruca’s network account in July of 2014, and if nec- 
essary, we also can access our backup tapes or disaster recovery 
tapes in order to produce documents. 

Even so, we recognize the situation will reflect a shortcoming in 
our document controls. Therefore, pending further review of the 
IRS’ litigation hold procedures, the Commissioner has ordered a 
halt to the erasure and recycling of employees’ devices, including 
computer hard drives and mobile devices, for all departing employ- 
ees. We’ll now copy material off the hard drive of every employee 
who leaves the Agency, and store that information in a digital for- 
mat in addition to retaining the physical hard drive. 

We are also broadening our litigation hold procedures to ensure 
that hold instructions are provided not only to the pertinent em- 
ployees, but also to the employee’s supervisor. We’ll also update our 
procedures for processing employees who leave the Service to en- 
sure that appropriate personnel are advised of pending litigation 
holds and document collection efforts involving the records of cus- 
tody for departing employees. 

In closing, I want to assure the committee that the IRS is com- 
mitted to building on these efforts and to make further improve- 
ments, and continue focusing on serving the Nation’s taxpayer. 

This concludes my statement, and I’ll be happy to answer any 
questions. 

Chairman Chaffetz. Thank you. Mr. Killen, you are now recog- 
nized for 5 minutes. 

STATEMENT OF EDWARD KILLEN 

Mr. Killen. Chairman Chaffetz, Ranking Member Cummings, 
and members of the committee, my name is Edward Killen, and I 
am the director of Privacy, Governmental Liaison, and Disclosure 
at the IRS. I appreciate the opportunity to testify today. 

In my role at the IRS, I represent the Agency’s interests in mul- 
tiple aspects, including records management, information protec- 
tion, disclosure, data sharing, and combatting identity theft. My of- 
fice manages relationships with Federal, State, and local agencies 
by facilitation and oversight of various data sharing programs and 
initiatives. We also work to ensure the protection of Federal tax in- 
formation in the custody of our data exchange partners. 

The bottom line for my office is that we’re working every day to 
protect taxpayers, safeguard their personal data, and promote both 
privacy and transparency principles, including the appropriate 
availability of Agency records. 

I’ve spent my career in public service, beginning as a presidential 
management fellow with an appointment to the Social Security Ad- 
ministration. In 2003, I joined the IRS as a policy analyst in our 
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Wage and Investment Division. Since then, I’ve had the oppor- 
tunity to carry out a wide range of assignments in different areas 
at the Service, including leadership positions as the director of 
Governmental Liaison, Disclosure, and Safeguards, and senior ad- 
visor to the deputy commissioner of Operations Support. I have 
also engaged in numerous and diverse detail assignments across 
the IRS, including stints within our Chief Counsel’s Office and the 
2008 economic stimulus team. 

I’m proud of the years I’ve spent in public service and grateful 
for the chance to continue to serve the American taxpayer. 

This concludes my statement, and I would be happy to take your 
questions. 

Chairman Chaffetz. Thank you. You all seem like decent indi- 
viduals. The question is, why do we have to keep coming back and 
asking for the same basic information? The IRS advice to individ- 
uals in businesses is that they should hold their own personal busi- 
ness and tax information for how long? How long are you supposed 
to hold onto your own personal information? Mr. Tribiano? 

Mr. Tribiano. Sir, that is not my area. I am with Operations 
Support, so I 

Chairman Chaffetz. Mr. Killen, how long? How long does the 
IRS advise you to hold onto your own personal information? 

Mr. Killen. Well, I think it would depend on the particular cir- 
cumstances. But, you know, as a general matter, probably 7 years 
or so is probably 

Chairman Chaffetz. 7 years. I mean, that is what I have gen- 
erally heard as well, 7 years. So how long does the IRS hold onto 
its own data and information? Mr. Maruca leaves the employment. 
Why the swift erasure of everything that he has? Why does that 
happen? Mr. Killen? 

Mr. Killen. Well, I think in the particular case of Mr. Maruca, 
as the written testimony shows and as I think we will probably 
talk through the day, that was largely a factor of sequencing and 
of particular circumstances. But I think the thing that I would reit- 
erate about that is that essentially we have found the file, the data 


Chairman Chaffetz. Okay, but, yes, you did find the file be- 
cause we pushed the issue, forced the issue. But on January 15th 
of this year, the Department of Justice on the behalf of the IRS ac- 
tually filed a notice with the Federal court that they had erased 
Mr. Maruca’s hard drive. 

Here is the fundamental problem. You require us, the people, to 
hold onto their information for 7 years. The IRS erases their infor- 
mation. There is no consequence. Nobody is held accountable. 
There was an internal preservation order, but it was ignored, and 
there is no consequence for that, right? Who issued the internal 
preservation order? 

Mr. Tribiano. That came from our legal department. 

Chairman Chaffetz. How does that process not hold that infor- 
mation? 

Mr. Tribiano. The internal preservation order came, it was actu- 
ally a litigation hold order, came after Mr. Maruca left the Agency. 

Chairman Chaffetz. What originally happened is Microsoft filed 
a Freedom of Information Act request. That was not complied with. 
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so they had to go to court and wait to get a court date, and then 
get to the court to try to say where is this information, and you 
had already erased it in less than a year. I do not understand why 
the IRS asks us to hold information or 7 years, and you do not even 
hold it for 7 months. How does that happen? Why does that hap- 
pen? 

Mr. Tribiano. Well, Mr. Chairman, it was a timing issue. Again, 
Mr. Maruca left the Agency on August 1st. 

Chairman Chaffetz. But if we have to hold our information for 
7 years, how come the IRS does not have to hold its information 
for 7 years? 

Mr. Tribiano. The information from Mr. Maruca’s system is 
backed up with our backup tapes. It is just harder to get into that 
system, and Mr. Milholland can walk through that. It is the hard 
drive that is easier to access, and that 

Chairman Chaffetz. Right now today, how long does the IRS 
preserve its own internal documents? How long? 

Mr. Tribiano. It depends on the documents. Mr. Killen can walk 
you through that. 

Mr. Killen. That is true. You know, there are various records, 
disposition schedules for different types of records, both across the 
Federal government as a general matter, but certainly within IRS, 
so it is largely fact dependent. But 

Chairman Chaffetz. Give me a range. What is the shortest 
amount of time, what is the longest amount of time. 

Mr. Killen. Oh, it can really vary. 

Chairman Chaffetz. You have a $1.7 billion dispute, and you 
have the person who is working on the issue, they leave employ- 
ment for whatever reason. I am sure it was a legitimate reason. 
But why is all that information suddenly erased, and how do you 
go in front of a judge and say we no longer have that information? 
How does that happen? 

Mr. Killen. Well, I mean, so certainly we 

Chairman Chaffetz. Because neither — sorry — neither of those 
things were true, right? Neither of those things were true. You ac- 
tually did have the information, but you represented to the Depart- 
ment of Justice that you did not have it. But it was erased even 
though there was an internal preservation order. 

Mr. Tribiano. At the time that the Department of Justice was 
notified, we thought that there was information saved. When we 
went back to take a look at it and to go through the records, we 
found that we did back it up for another litigation hold up through 
July 16th of 2014. Mr. Maruca left the Agency on August 1st. 

Chairman Chaffetz. Can you help detail for us, and you are not 
going to be able to get through it verbally now. My time has ex- 
pired. I have two things that I would love to understand. How do 
preservation orders internally work, and why are they not adhered 
to because we had that happen in the Lois Lerner case. We have 
that happening in the Microsoft case. How does that happen? And 
then the second thing is I would like to know what documents you 
do and do not retain and for how long? And I fundamentally do not 
understand why it is not the same for the IRS as it is for the Amer- 
ican people. 
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Could you between the three of you get back to the committee 
on those two topics? Is that fair? 

Mr. Tribiano. Yes, sir. 

Chairman Chaffetz. Let the record reflect all three of them 
thought it was fair. All right. 

Chairman Chaffetz. My time has expired. I will now recognize 
the gentleman from Virginia, Mr. Connolly, for 5 minutes. 

Mr. Connolly. And let the record show this member has felt the 
chairman has always conducted himself fairly. We do not always 
agree, but I think he has always been fair. 

I want to talk a little bit about investments and capacity. Mr. 
Tribiano, is it true that the Agency’s inflation-adjusted budget has 
been cut by 17 percent since 2010? 

Mr. Tribiano. Yes, sir. 

Mr. Connolly. Is it further true that by Fiscal Year 2015 we 
whittled down your funding and your budget to the lowest level in 
5 years? 

Mr. Tribiano. Yes, sir. 

Mr. Connolly. Is it also true that, in effect, when you count in- 
flation, that means that your budget has the buying power of the 
budget of 1998? 

Mr. Tribiano. Yes, sir. 

Mr. Connolly. That is a long time ago. The reduction has been 
about $1.2 billion? 

Mr. Tribiano. Yes, sir. 

Mr. Connolly. And in Fiscal Year 2015 alone, the budget was 
cut another $346 million from the previous year funding. Is that 
correct?? 

Mr. Tribiano. Yes, sir. 

Mr. Connolly. Well, let me see. Because of these cuts, as I un- 
derstand it, the workforce has been cut by 17,000 since 2010. Is 
that correct?? 

Mr. Tribiano. Yes, sir. 

Mr. Connolly. Two-thirds of your top managers have left in the 
last 5 years. Is that correct?? 

Mr. Tribiano. Yes, sir. 

Mr. Connolly. 40 percent of your workforce, by the way, on top 
of that is eligible to retire by 2019 largely because of the baby 
boom generation. Is that correct? 

Mr. Tribiano. Yes, sir. 

Mr. Connolly. Well, do these cuts and reductions have an im- 
pact on productivity, customer service? 

Mr. Tribiano. Yes, sir, it has a direct impact. 

Mr. Connolly. Does it impact your audit capability? 

Mr. Tribiano. It impacts our audit capability and our revenue 
collection of capability as well. 

Mr. Connolly. Well, Mr. Milholland, do these cuts have any im- 
pact at all on the IT budget? 

Mr. Milholland. Yes, sir. 

Mr. Connolly. How so? Do you want to elaborate a little? 

Mr. Milholland. It affects people, processes, and technology. 
For example, in the people area, we know that we have 67 people 
who are the single points of failure, so to speak, for particular sys- 
tems. If they left, we would not have any knowledge to deal with 
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an issue in that particular system they support. That is how thin 
we have become is that we now can identify the places where we 
are truly thin, so we have to deal with risk mitigations for those 
particular systems. 

Mr. Connolly. So Mr. Koskinen was quoted last week as saying 
we have got systems that go back to the Kennedy Administration. 
What was he talking about? 

Mr. Milholland. What he was referring to are systems like the 
individual master file or the business master file, where these sys- 
tems were literally designed and architected in the 1960s and 
rolled out in the 1970s. Those systems are where literally your tax 
returns, the master file record of your tax returns, are kept. We 
have been 

Mr. Connolly. Let me interrupt you one second there. So my 
tax returns might be kept on a system that goes back to the 1960s 
and 1970s? 

Mr. Milholland. That was architected in the 1960s and 1970s. 
That is correct, sir. 

Mr. Connolly. What could go wrong with that? 

Mr. Milholland. Well, that is one of the many issues that we 
deal with is the sustainability of those long-lasting legacy systems 
so that every year we can have a smooth filing season. 

Mr. Connolly. So when we talk sometimes about retrieving in- 
formation, archiving information, being able to produce documents 
or evidence with respect to a court case, we are relying in many 
cases on technology to be our friend that goes back 40, almost 50 
years. 

Mr. Milholland. Obviously depending on the case, so to speak, 
if individual taxpayer data is being accessed, that architecture is 
that old. The access mechanisms might be more current. 

Mr. Connolly. Right. 

Mr. Milholland. But the fundamental underlying structure is 
reliant upon systems that were built in that era. 

Mr. Connolly. Okay. You come from private sector? 

Mr. Milholland. Yes, sir. 

Mr. Connolly. You are now the CTO for a public sector entity. 
Real quickly in the time I have got left, what would you do and 
what would it cost to do what you do to modernize and upgrade the 
IRS so it is functioning as a modern technology-oriented entity in 
2016? 

Mr. Milholland. Yes, sir. I will try to be very brief. We built 
a technology roadmap. We did that a few years ago and have been 
executing against it for the future state; that is, to bring the IRS 
so it looks like a digital company in the financial area; that is, com- 
parable to the way a large financial institution would operate. That 
means that we have to upgrade a number of the underlying proc- 
esses which are based in fiiese, as I say, the 1960s architecture, 
bring them into a 21st century architecture, and implement the 
technology that allows that. 

We have standardized on modern programming languages, for 
example. All new developments since I have arrived, they are in 
Java, for example, rather than the more ancient languages like as- 
sembly language, or COBOL, or these, I will just say, simply legacy 
programming languages. We have standardized on a different oper- 
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ating system, in our case, Linux, for example, a very modern oper- 
ating system environment that is very common across all of private 
enterprise. 

And we have been slowly and steadily migrating new systems of 
what we have had to invest in to support things like FATCA, the 
Affordable Care Act, the Revenue Return Program, our fraud detec- 
tion system, all are built, I will say, the right way so that we can 
slowly remove ourselves from dependencies on these older systems. 

And then the last comment I would make, we have plans to get 
off, so to speak, of that dependency. The Congress has supported 
us in our business systems modernization program in a program 
called CADE 2 , Customer Account Data Engine. The second transi- 
tion state of that is underway in which we are converting off of 
that master file system into a modern relational database program, 
at the same removing the financial material weakness of the older 
individual master file systems. 

Let me stop there because I could certainly go on and on and on. 

Chairman Chaffetz. I thank the gentleman. I would simply ask 
that the digital roadmap that you are talking about, if you could 
provide this committee that copy of this roadmap, I think we would 
both like to look at it. When you can provide that to this com- 
mittee? 

Mr. Milholland. As soon as our release mechanism allows us. 
Soon if I can get away with that. 

Mr. Connolly. Mr. Chairman, if we could also to that request 
the cost. What would it cost? 

Chairman Chaffetz. Yes, that would be great because 

Mr. Connolly. Thank you. 

Chairman Chaffetz. — the IRS has had over the last 5 years 
more than $11 billion in just IT expenditures. It is a significant 
amount of money. We would appreciate you sharing that plan with 
us. 

Mr. Milholland. Mr. Chairman, could I add one other thing? 

Chairman Chaffetz. Sure. 

Mr. Milholland. The roadmap does not stand by itself. It goes 
along with a business plan which we call a future state vision, in 
which all of the businesses as outlined, how do they want to actu- 
ally operate in the next 3 to 5 years, and then that roadmap sup- 
ports that plan. So you would actually need to understand both. 

Chairman Chaffetz. If you could provide both, that would be ap- 
preciated. 

Mr. Milholland. All right. 

Chairman Chaffetz. Fair enough? And I appreciate it. 

Chairman Chaffetz. I thank the gentleman for his questions, 
and I am surprised after 23 hearings you still have questions. 

Mr. Connolly. It was a struggle, Mr. Chairman. 

Chairman Chafeetz. Yes. Yeah, you still have questions, and so 
do we. We will now recognize the gentleman from Ohio, Mr. Jor- 
dan, for 5 minutes. 

Mr. Jordan. Thank you, Mr. Chairman. Mr. Milholland, in May 
of 2013, the country learns that the IRS has been targeting con- 
servative groups. Congressional investigations are announced. The 
President has a big press conference. The Attorney General an- 
nounces that there is a criminal investigation that will be fol- 
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lowing. As the chief information officer, did you take any action to 
preserve information data and documents? 

Mr. Milholland. Yes, sir. 

Mr. Jordan. And what action was that? 

Mr. Milholland. We issued a directive to my staffs down 
through every level of management and individuals to hold onto 
every piece of information. 

Mr. Jordan. Was your order clear? 

Mr. Milholland. I certainly thought it was clear. 

Mr. Jordan. I am going to read from it. “Do not reuse, or refresh, 
or wipe information from any personal computer that is being re- 
claimed, returned, refreshed, updated from any employee or con- 
tractor of the IRS. Effective immediately, the email retention policy 
for backups is to be indefinite rather than 6 months.” Pretty clear, 
right? 

Mr. Milholland. Yes, sir. 

Mr. Jordan. You go on in that email to say this, “In other words, 
retain everything.” Now, “everything” is a pretty big universe, so 
I do not know how you could be more clear. So the chairman has 
asked this a couple times. How in the world did the IRS end up 
destroying, with that clear directive, end up destroying 422 backup 
tapes that were extremely relevant to the investigation? 

Mr. Milholland. As you are undoubtedly aware having that 
email, TIGTA did their report out. They looked at every step of the 
process along the way of how did we end up doing that. In fact, 
I think I was quoted in there when they interviewed me as I was 
literally blown away by the fact that it had happened because, 
again, I thought the instructions were remarkably clear. 

Mr. Jordan. So I think they are clear, too, if I could just inter- 
rupt, Mr. Milholland. So I think they were pretty clear, too. So did 
you do anything else? Did you just send this email out or this di- 
rective out that says keep everything and then that was it? Is that 
all you did? 

Mr. Milholland. Within IT, the information technology organi- 
zation, we discussed it with staff and with the executive team that 
we needed to do this. We were also in the midst of consolidating 
all the email servers that were sitting around the country into our 
two primary data 

Mr. Jordan. Let me interrupt again. I only got 5 minutes here. 
Were there other preservation orders that came to the Internal 
Revenue Service, other orders to preserve documents, not just the 
one you sent out internally, but were there others that come in 
from the outside? 

Mr. Milholland. I really do not know. You would have to ask 
the chief counsel about that. 

Mr. Jordan. Yeah, well, there were two, right? There was one 
from the Justice Department and one from TIGTA that said, hey, 
they want to just reinforce and preserve documents. So did you 
take any action relevant to those other orders to preserve all infor- 
mation? 

Mr. Milholland. I do not recall seeing those orders, so 

Mr. Jordan. When the legal staff got the order from the Justice 
Department to preserve all the information, they did not say, hey, 
you better make sure we do not destroy anything. They did not 



22 


communicate it to you, and then you did not communicate another 
email like the one we were just talking about. 

Mr. Milholland. I am totally unfamiliar with the order that you 
are discussing. We always have a practice generally when a re- 
quest comes in that counsel needs us to hold onto items, they send 
an email around to the responsible individuals 

Mr. Jordan. Okay. 

Mr. Milholland. — and tell them to literally — sorry. Go ahead. 

Mr. Jordan. What about the subpoenas? This committee sent 
two subpoenas. Did that warrant or did that trigger you taking any 
further action than this one email that you sent? 

Mr. Milholland. No, sir. 

Mr. Jordan. So the two subpoenas and the other two preserva- 
tion orders, the IRS chief information technology officer, that did 
not trigger you to do anything else. You sent this one email that 
I think is pretty clear, but that is all you did. 

Mr. Milholland. As I tried to express earlier. Congressman, we 
discussed the request to hold on to all of those items that were in 
that email throughout our staffs so the executive team, the man- 
agement team, would understand how serious this was. And, there- 
fore, to protect 

Mr. Jordan. So there is 

Mr. Milholland. — basically the retention of information. 

Mr. Jordan. I got it, yeah. 

Mr. Milholland. So it was reinforced constantly to do so. 

Mr. Jordan. So then why was it not? So there are two key ques- 
tions. There are two questions, and I have got 30 seconds here. 
Two questions. One, when you say “keep everything” and then 422 
tapes, 24,000 emails are destroyed, I want to know how that hap- 
pened and why that happened. Second, this is the question I get 
all the time from folks back home. Who is held responsible? So 
there is an order given from the chief technology officer to keep ev- 
erything, and it is not kept. In fact, it is destroyed. Who was dis- 
ciplined? Who was held accountable? That is what we would like 
to know. 

Mr. Milholland. I will answer the second question first. I held 
myself accountable as it was reported in the TIGTA report that it 
starts at the top. I was at the top, and, therefore, myself and my 
management chain were held to be accountable. That was part of 
our performance plans and such and was discussed appropriately 
when we discovered this particular incident when it happened. 

Mr. Jordan. Let me just ask one other question. Did you get a 
raise the last few years? Have you had a raise in your salary? 

Mr. Milholland. Because I am in the senior critical, I got an ad- 
justment because of this senior critical pay. 

Mr. Jordan. Did your pay go up? 

Mr. Milholland. Yes, it did. 

Mr. Jordan. The last 2 years? 

Mr. Milholland. I think only once in the last 2 years. 

Mr. Jordan. Who is your direct boss? Who do you report to? 
When I look at your chain of command, it looks to me like you re- 
port to Mr. Tribiano. 

Mr. Milholland. Mr. Tribiano. 
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Mr. Jordan. And, Mr. Tribiano, your office is a direct report to 
the commissioner of the IRS. Is that right? 

Mr. Tribiano. Yes, sir. 

Mr. Jordan. All right. So what happened there? You find out 
this guy does an order, and that is as clear as it gets, retain every- 
thing. It is not followed. Tapes are destroyed, 24,000 emails. That 
information comes to you. What did you tell Mr. Koskinen? 

Mr. Tribiano. Well, sir, I was not part of the IRS during that 
time. 

Mr. Jordan. What did your office tell Mr. Koskinen? 

Mr. Tribiano. I do not know what my office told Mr. Koskinen. 

Mr. Jordan. You come to the hearing, you know we are talking 
about record retention, and you do not know what happened? 

Mr. Tribiano. I did not say that, sir. I said I was not responsible, 
and I was not there. 

Chairman Chaffetz. The gentleman’s time has expired. 

Mr. Jordan. Thank you, Mr. Chairman. 

Chairman Chaffetz. We will now recognize the gentlewoman 
from the District of Columbia, Ms. Norton, for 5 minutes. 

Ms. Norton. Thank you, Mr. Chairman. I understand that we 
are here talking about what we loosely call data preservation and 
security, but we are doing so for the IRS, where the data that we 
most want to keep to ourselves is to be found. I have often won- 
dered how the IRS is able to attract the advance technical profes- 
sional employees to do what needs to be done. You know, it is easy 
enough for us to tell you what you should do. 

So I am interested in exploring what we can do to make it pos- 
sible for you to do what you are supposed to do. Now, what in- 
trigued me was this notion of critical pay authority that allows the 
IRS — other agencies have it, too — to hire people who it would be 
very difficult to attract to the public service otherwise. Do I under- 
stand, Mr. Milholland, that you are a critical pay employee? 

Mr. Milholland. Yes, ma’am. 

Ms. Norton. Is it fair to say that in order to come to the IRS, 
you took a pay cut? 

Mr. Milholland. Yes, ma’am. 

Ms. Norton. Would that have been a significant pay cut? 

Mr. Milholland. Yes, ma’am. 

Ms. Norton. So when we look at how important this data is, I 
wanted to see how many people were in this position. I understand 
that you are authorized in these critical positions, that the IRS is 
authorized only for 168, only for 40 at one time. I am quite amazed 
at that. And even they can only serve 4 terms. You would be lucky 
to keep them for 4 years. You would be lucky to keep them for 4 
years when you consider how critical these people are. We do H- 
B1 visas that are so critical in our own country. 

Is my information correct that here are only 19, Mr. Milholland, 
of these critical technical people at the IRS at this point? 

Mr. Milholland. I can answer for the number in information 
technology. There are 11. I believe Mr. Tribiano can cover the rest. 

Mr. Tribiano. Yes, ma’am, we have 14. And I would just like to 
note, ma’am, that we do not have that authority anymore. That au- 
thority expired. 
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Ms. Norton. Well, that was going to be my next question. I un- 
derstand that this number, since they can only stay 4 years, that 
that number is depleted every time you get to the end of the 4-year 
term. And that critical person, even if they have not already left 
to go to some high tech company, has to go then. 

Mr. Tribiano. Yes, ma’am. 

Ms. Norton. And you have had no authority for at least 2 years 


Mr. Tribiano. Yes, ma’am. 

Ms. Norton. — to hire people. That is why you are down to 19. 

Mr. Tribiano. 14 in total. 

Ms. Norton. 14 for you, Mr. Tribiano, and 

Mr. Tribiano. No, 14 in total for the Agency, ma’am. 

Ms. Norton. Oh, for the entire Agency out of 168 that are au- 
thorized. 

Mr. Tribiano. Yes, ma’am. We lose one this year, and then the 
remaining 13 next year. 

Ms. Norton. This is malfeasance it seems to me, but it is on our 
part. I do not know how we could have gotten without at least au- 
thorizing. I do not know if there is enough funds even if authorized, 
but if you were able to even attract such people, you deserve our 
congratulations. But if we can continue to reprimand you for things 
you do not do in data collection while we do not recognize our re- 
sponsibility to authorize you to have what I regard as a very small 
number of technical professionals on board, then there is a dis- 
parity here that I think the government has to take account of. 

Chairman Chaffetz. Would the gentlewoman yield? 

Ms. Norton. Yes, sir. 

Chairman Chaffetz. My understanding of this process is that 
the Office of Management and Budget has the opportunity to offer 
800 people within the Federal government critical pay authority in 
consultation with the Office of Personnel Management. Of the 800 
available slots for critical pay authority, they are only using 4. Not 
400, 4 of the 800 that are already 

Ms. Norton. Where is this, in this Agency? 

Chairman Chafeetz. Well, throughout government. So if the IRS 
commissioner needs critical pay authority, for instance, for IT spe- 
cialists, which I would probably actually agree with, there is al- 
ready a process and authorization in place where 0MB with 0PM 
goes and gets that authorization. 

Ms. Norton. Well, I understand they do not even have to go 
through 0PM. Is this authority authority that you think the Agen- 
cy needs? 

Mr. Tribiano. Yes, ma’am. Streamlined critical pay is very im- 
portant to us, and if we are able 

Ms. Norton. But do you think you have the authority? The 
chairman thinks you already have the authority. 

Mr. Tribiano. Not under what we had before, which is stream- 
lined critical pay. What the chairman is referring to, I believe, is, 
if I understood right, is an 0MB, I mean, an 0PM process that ex- 
ists for critical IT. 

Ms. Norton. But the people we are talking about do not have 
to go through that process, do they? 
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Mr. Tribiano. Streamlined critical pay, no, ma’am. We would re- 
cruit directly from the private sector into the top IT positions. 

Chairman Chaffetz. If the gentlewoman would yield, if the IRS 
has a case, the mechanism that Congress previous to me had set 
up is that they make the case to the Office of Personnel Manage- 
ment or through the 0MB. In concurrence, they can grant that all 
within the executive branch without having to come to Congress. 

Ms. Norton. But it expired 2 years ago. 

Chairman Chaffetz. No. Well, I will work with the gentlewoman 
to help clarify this, hut I do believe it is currently available. The 
gentlewoman’s time has expired, but I will work with the gentle- 
woman on this topic. 

Ms. Norton. I wish you would because the testimony has been 
pretty direct here that it has expired, and our own research shows 
it has expired. 

Chairman Chaffetz. Okay. Well, again, we will be happy to 
work with you. We now recognize the gentleman from Michigan, 
Mr. Walberg, for 5 minutes. 

Mr. Walberg. Thank you, Mr. Chairman. And just in reference 
to statements made earlier by a member of our committee con- 
cerning several senior-level administrators leaving under the guise 
of the challenges of doing the job here, remember some of those left 
under a rather dark cloud pleading the 5th under potential im- 
peachment, et cetera. So we do not need to forget that also. 

Mr. Milholland, you mentioned that when finding out that your 
direct orders for preservation were disregarded, you were blown 
away. Coming from your experience in the private sector, extensive 
experience and background in the private sector, I would assume 
that orders like that would not have been disregarded clearly with- 
out significant consequence. So I do want to go back to a question 
made by a colleague of mine, Mr. Jordan, and just get a more di- 
rect answer. Do you know of anyone who was reprimanded for not 
following the preservation notice? Reprimanded or worse. 

Mr. Milholland. The way we handled the situation was waiting 
until the TIGTA report was in where basically, as I say, the TIGTA 
concluded there was no criminal wrongdoing, which was peace of 
mind. Someone did not deliberately set out to do this. And then, 
in reading through their report, what conclusion do you come to? 

As I say, management — me — took accountability for our manage- 
ment chain’s failure to see that the instruction was followed. That 
then was dealt with through performance reviews and feedback to 
people for their whole entire performance through the appropriate 
chain and such. We did not penalize or punish anyone on the floor 
because they thought they were doing what they were supposed to 
do. They had received instructions. They were following a process, 
and 

Mr. Walberg. But the leadership team, any one reprimanded? 

Mr. Milholland. In the sense of in their performance review 
feedback, yes. 

Mr. Walberg. But no other consequences beyond that. 

Mr. Milholland. No other consequences, no, sir. 

Mr. Walberg. I doubt that in the private sector it would have 
been as simple as that. Let me move on. Let me move on. The tax- 
payer advocate recently released a report on the IRS future state 
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plan that stated the IRS’s intent to move all taxpayer filing and 
help systems to an online platform. 

In the last 9 months, the IRS has experienced at least two elec- 
tronic data breaches surrounding taxpayer P-2s. This includes the 
May 2015 breach that exposed more than 100,000 taxpayers’ sen- 
sitive information. The taxpayer advocate also found that roughly 
1 in 5 taxpayers who were victims of taxpayer identity theft had 
their IRS files closed. Despite unresolved issues remaining, tax- 
payers, in other words, still had to wait an average of 6 months be- 
fore the negative impact of taxpayer identity theft was addressed. 

Mr. Tribiano, in light of these breaches, why does IRS feel that 
now is the best time to roll out a more expansive and pervasive on- 
line tax system? 

Mr. Tribiano. Well, sir, if I can just add one thing to that. We 
are not abandoning and going everything to digital or to online. We 
still have to take care of the taxpayers that still want to file paper 
returns and go that route. But the customers in this case, the tax- 
payers, have advocated for us, or for the IRS, to operate more as 
a large multinational type of bank to be able to do things online. 
As you can imagine, they would rather deal with us online more 
so than deal with us in person, so we are shifting. 

It is a 3- to 5-year process to go to where we want to go, what 
we call future state. And that is to be able to have interactions 
with the taxpayers electronically the way they are asking for it. 

Mr. Walberg. How do you propose to protect them, though, on- 
line? 

Mr. Tribiano. As we build out the technology, we are changing 
and adapting it, and I think Mr. Milholland can walk you through 
some of the things 

Mr. Walberg. Walk me through that, some of the means by 
which you can stop the breaches that could very clearly come that 
has taken place in person, but it could take place extensively on- 
line. 

Mr. Milholland. Yes, sir. We have an initiative we call the 
eAuthentication Authorization and Access Initiative. The first part 
of this is what we are doing to get transcripts back online. If you 
recall, with that original issue from last May and June, we took it 
offline until we could get it right; that is, the underlying authen- 
tication. Can we really identify that the individuals coming in are 
who they say they are. That work is underway. We hope to roll 
that application back up some time this spring. 

But we also have done other things that we started changing the 
way that we handle, I will say, the online environment. The par- 
ticular technologies we, in fact, deployed as a result of the “Get 
Transcript” incident were, in fact, what allowed us to stop this hot 
attack from 2 weeks ago explicitly. The ability to capture and see 
that this attack was ongoing is a direct result of us improving that 
environment. 

A number of other tools and such are built into our cyber invest- 
ment plan. It is what we are going to use some of the monies that 
are now made available to us from the Congress through an extra 
$290 million. About $100 million of that has been assigned to IT 
specifically for cyber. That is where the investments will be made. 
The President has certainly recognized it in his Fiscal Year 2017 
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budget submission for what he wants to do across the Administra- 
tion. And then part of those monies will be used to improve aspects 
of the IRS online presence. 

There are a number of specific tools I could talk about here, Con- 
gressman. I do not know exactly 

Mr. Walberg. I appreciate this getting on record of what you are 
doing, and that down the road we will not be blown away by mis- 
takes that come, but I want to make sure that this is taken care 
of. That is part of our oversight, and we want to make sure that 
you are doing oversight as well. I yield back. 

Chairman Chaffetz. The gentleman’s time has expired. If Mr. 
Milholland can continue to provide the committee with what they 
are doing in that regard, we would appreciate it. 

I will now recognize the gentlewoman from New Jersey, Ms. 
Watson Coleman, for 5 minutes. 

Ms. Watson Coleman. Thank you, Mr. Chairman. Mr. 
Milholland, it has been almost 4 years since the committee 
launched its investigation of the IRS, and to date IRS has produced 
more than 1.3 million pages of documents from 88 custodians in re- 
sponse to over 80 document and information requests. According to 
the information I have, on June the 3rd, 2015, the IRS’ senior pri- 
vacy official testified before this committee. Is that you, Mr. Killen? 
Is that you? 

Mr. &LLEN. Not at the time. 

Ms. Watson Coleman. Okay, thank you. Well, let me read to 
you what was said. “More than 250 IRS employees have spent 
more than 160,000 hours working directly on complying with inves- 
tigations at a cost of $20 million, which also includes the cost of 
adding capacity to our limited information technology systems to 
accommodate the voluminous information requests.” And that fig- 
ure does not include that at least $2 million additional have been 
spent by the inspector general. Mr. Milholland, what sort of capac- 
ity has been added to the IRS information technology system in 
order to accommodate this information and this investigation? 

Mr. Milholland. There is an investment plan to build out the 
entire process of record retention. This ranges from saving all of 
the email and all of its attachments, the archiving of information 
that are on hard drives in turn being saved. And the first elements 
of this, if we are able to complete our project, would start to roll 
out at the end of December, beginning of January. 

Ms. Watson Coleman. Do you have the resources and the per- 
sonnel to be able to accommodate this effort? 

Mr. Milholland. At the current moment we do not. We have 
what we need to implement toward the end of this year, but for the 
long-term needs of the record retention initiative, to do everything 
that is being asked in the sense of build a system that can search 
for anything and do it instantly, that has not yet been, I will say, 
completely planned out, nor staffed, nor resourced. 

Ms. Watson Coleman. You have made some improvements be- 
cause you were able to detect some suspicious behavior most re- 
cently in the system. And you do not have any reason to believe 
that that was anything terrorist related or anything of that nature 
or 
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Mr. Milholland. Ma’am, are you referring to the hot attack that 
was 2 weeks ago? 

Ms. Watson Coleman. Mm-hmm. 

Mr. Milholland. I cannot speak to who it was. There is an in- 
vestigation going on right now by the investigative side of TIGTA. 
This was done from international sites using malware placed on in- 
dividual machines and servers that attacked the IRS attempting to 
get these e-file PINs, no other taxpayer data. In fact, the e-file PIN 
is not taxpayer data, so I cannot characterize who they were. They 
were, you know, more than likely criminals, but I cannot really 
say. 

Ms. Watson Coleman. After Mr. Maruca’s file was detected, 
after there was this belief that it did not exist and then you found 
out that you had a backup to it, you all have done something that 
would ensure that this problem does not occur in the future until 
you can take care of it in a more technologically savvy way? You 
have made decisions that no information gets erased until after 
something happens, right? Until after what happens, and when 
would that happen? 

Mr. Milholland. Is that a question toward me? I just was not 
sure. 

Ms. Watson Coleman. Well, to whomever can answer it. 

Mr. Milholland. I was not sure if it was to the deputy commis- 
sioner. 

Ms. Watson Coleman. Well, if the deputy commissioner is the 
one that should answer it, I am fine with that. Thank you. 

Mr. Milholland. Okay. 

Mr. Tribiano. The answer to that, ma’am, is yes. We put a non- 
destruct order in for all hard drives and devices for all employees 
of the IRS when they depart the IRS, and we immediately back up 
the hard drive itself electronically so we would have two copies 
until we get to the long-term solution that Mr. Milholland was 
talking about. 

Ms. Watson Coleman. So minimally, would you say that you 
have a future desire to hold this information as long as we are re- 
sponsible as citizens to hold our information at 7 years, that in- 
credible 7 years that we are talking about, or is there something 
other that you all would be presenting? 

Mr. Tribiano. Well, I think that is a question for Mr. Killen. 

Ms. Watson Coleman. Mr. Killen? 

Mr. Killen. Thank you for the question. We are working vigor- 
ously to ensure that we migrate our records management practices 
from sort of the current state to where we need to get to, you know, 
in the future in order to be compliant with all of the respective 
guidances out there from NARA and from 0MB. 

So principally, we have taken, you know, really a multi-pronged 
approach at that. Mr. Milholland and Mr. Tribiano both talked 
about various aspects of that, but I think, you know, first and fore- 
most, again, ensuring that we no longer wipe or 

Ms. Watson Coleman. Erase. 

Mr. Killen. — sanitize existing hardware, ensuring that we have 
copies that are in place on the machines. But we are, in addition 
to that, we have put a process in place for our senior-most Agency 
officials throughout IRS at the executive level because those are 
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the individuals most likely to create Federal records. And so, we 
have an approach that we have implemented called the Capstone 
approach to ensure that we maintain and appropriately archive 
those records of our senior-most officials. At the same time, we are 
currently in the process of implementing a plan for December 2016 
where all IRS employees’ email accounts will be archived electroni- 
cally. And that is per directives that we have 

Ms. Watson Coleman. Thank you, Mr. Killen. 

Chairman Chaffetz. The gentlewoman’s time has expired. How 
convenient. December of 2016, then we will start that process. 
There we go. 

All right. I will now recognize the gentleman from Tennessee, 
Mr. DesJarlais, for 5 minutes. 

Mr. DesJarlais. Thank you, Mr. Chairman. Mr. Milholland, did 
the IRS hire a new director of the Office of Personal Responsibility 
in the past year? 

Mr. Milholland. I actually do not know. 

Mr. DesJarlais. Mr. Tribiano? 

Mr. Tribiano. We transferred an individual into that office. 

Mr. DesJarlais. Who was that? 

Mr. Tribiano. That is Mr. Whitlock. 

Mr. DesJarlais. Mr. Whitlock. Okay. And that is basically the 
director of the IRS ethics department, correct? 

Mr. Tribiano. It could be categorized as that, yes, sir. 

Mr. DesJarlais. Okay. Did they review this individual’s history 
with the Department? 

Mr. Tribiano. With the Department of Treasury? I am not 
aware, sir. 

Mr. DesJarlais. Do you know why the individual’s record would 
not be reviewed prior to hiring someone for this position? 

Mr. Tribiano. Why it was not sent to the Department of Treas- 
ury? 

Mr. DesJarlais. Why they would not review his record before 
hiring someone to oversee the IRS’ ethics department. 

Mr. Tribiano. The Executive Resources Board would have re- 
viewed the record before making the recommendation of the move- 
ment of that individual into that position. 

Mr. DesJarlais. Okay. Mr. Milholland, did that ring any bells? 
Are you aware of Mr. Whitlock? 

Mr. Milholland. Not at all, sir. 

Mr. DesJarlais. No knowledge of him? 

Mr. Milholland. No, sir. 

Mr. DesJarlais. That was not run by you, Mr. Killen? 

Mr. Killen. No, sir. 

Mr. DesJarlais. No. Okay. So the IRS hires a new director to 
head up their personal ethics program. And, Mr. Tribiano, are you 
aware that he has a history of illegally shredding documents? 

Mr. Tribiano. Sir, well, first, let me say I cannot discuss. There 
is an IG investigation. But our internal review that was done in 
2005 found that Mr. Whitlock, there was no intent from that office, 
and that there was no wrongdoing in that process. 

Mr. DesJarlais. Okay. I have seen different reports. Mr. 
Milholland, would you be blown away if you learned that you hired 
an ethics director that had illegally shredded documents? 
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Mr. Tribiano. Just for the record, this position does not report 
to Mr. Milholland. The position reports to the deputy commissioner 
for Service and Enforcement. 

Mr. DesJarlais. Okay. So you have not reviewed the TIGTA 
audit of the OPR that was completed while the individual was de- 
stroying taxpayer records, or you have not read the investigation 
record, or the record destruction, or whistleblower retaliation? 

Mr. Tribiano. No, sir. What I reviewed was our internal review 
of the process that happened. Again, I cannot discuss the TIGTA 
investigation, and our internal review showed that there was no 
wrongdoing by that individual. That individual did not order the 
destruction that was done by the acting director at that time. 

Mr. DesJarlais. Okay. I guess I am just kind of shocked that, 
you know, this is a person that the IRS hired to be the head of 
their Office of Personal Responsibility, and he has got this history, 
and no one on the panel today seems to know anything about him. 

Mr. Tribiano. He was transferred, sir. He has been part of the 
IRS. He was in there as the deputy director of that office, was 
transferred to head up another office for us, and then was trans- 
ferred back in. 

Mr. DesJarlais. Is this typical of how the IRS handles new 
hires? 

Mr. Tribiano. He was a transfer, sir, not a new hire who has 
been with the IRS 

Mr. DesJarlais. So when somebody gets in trouble, they transfer 
him around. Is that how it works? 

Mr. Tribiano. I am not saying that, sir. 

Mr. DesJarlais. Okay. 

Chairman Chaffetz. Will the gentleman yield? 

Mr. DesJarlais. Yes. 

Chairman Chaffetz. Mr. Tribiano, you said there is a new non- 
destroy policy. When did that come into place? 

Mr. Tribiano. That came into place right after we found out that 
we had that gap with Mr. Maruca. 

Chairman Chaffetz. That you had destroyed things. So can you 
give me a specific time? 

Mr. Tribiano. January, sir. I do not know the exact date, but it 
was in January. 

Chairman Chaffetz. So just in the last 30 days? 

Mr. Tribiano. Yes, sir. When we realized we had the gap when 
Mr. Maruca before the 

Chairman Chaffetz. Why did you not put this in a policy when 
Mr. Milholland put this into place into 2013? Did you ever lift that 
non-destruction order, Mr. Milholland? 

Mr. Milholland. I have never lifted the non-destruct order for 
the tapes, the backup tapes, which we were dealing with at the 
time. 

Chairman Chaffetz. The gentleman from Ohio. 

Mr. Jordan. The chairman asked my question. When was the 
order rescinded that you wrote in 2013 which says effective imme- 
diately, email retention policy for backups is to be indefinite? So if 
it is indefinite, is that still in place? 

Mr. Milholland. Yes, sir. Email is saved indefinitely. 
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Mr. Jordan. Well, but the key question is, what about the 
backup tapes. They are saved indefinitely? 

Chairman Chaffetz. If the gentleman will yield, it says, “Do not 
destroy, wipe, or reuse any of the existing backup tapes for email 
or archiving of other information for IRS personal computers.” 

Mr. Jordan. Okay. And our question is, was that rescinded in 
any way. 

Mr. Milholland. If I understand your question correctly, sir, no. 
What we have, we still back up email and 

Mr. Jordan. Okay. Good. 

Mr. Milholland. Excuse me. I am sorry. I am interrupting you. 

Mr. Jordan. No, if it was not rescinded, then why did you have 
to issue a new order that Mr. Tribiano just referenced? 

Mr. Tribiano. I believe what Mr. Milholland was saying is that 


Mr. Jordan. Is it so that you could have another one that people 
will not follow? I mean, that is our point. If you have one in place, 
obviously it was not followed. You said nothing is being rescinded, 
and Mr. Tribiano said just last month we issued a new order to 
preserve all documents and not destroy anything. Why was that 
necessary? 

Mr. Tribiano. The order that Mr. Milholland was referring to, 
the one that he did that was about backup tapes and disaster re- 
covery tapes. What we are talking about is the cleaning of hard 
drives for recycling back into the IRS system for computers or for 
destruction when they go out. And the reason that is in place is 
because some of those hard drives contain 6103 data, so we cannot 
leave them around now for a longer period, so we have to secure 
them. So now with the new order we have to secure those hard 
drives, put them in a secure location, document them, and put 
them away because it has information on them. 

Chairman Chaffetz. And the time has expired. We are going to 
recognize Ms. Kelly here. But that is not what Mr. Milholland’s 
memo of May 22nd, 2013. It says, “Do not destroy, wipe, reuse any 
of the existing backup tapes or email or archiving of other informa- 
tion from IRS computers. Further, do not reuse, or refresh, or wipe 
information from any personal computer that is being reclaimed, 
returned, refreshed, updated from any employer or contractor of 
the IRS.” I mean, it could be not be more explicit. 

Mr. Milholland. Again, Chairman, if I may, that was referring 
to our backup tapes of the email systems and all the information 


Chairman Chaffetz. You can dance around this all the time. 
You had a preservation order in place. You had a do not destroy, 
and you continued to destroy them. You have represented to the 
Department of Justice, and to the courts, and to the United States 
Congress that you are not doing this. This issue has never been 
fixed, and that is why we continue to have these hearings. 

We have gone way past your time. We will recognize the gentle- 
woman from Illinois, Ms. Kelly, for 5 minutes. 

Ms. Kelly. Thank you, Mr. Chairman. Mr. Killen, I wanted to 
talk about what the IRS is doing to ensure that document and 
preservation measures are being implemented so that we do not 
end up here again, which no one wants. It seems strange that we 
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are having a full committee hearing because of one employee’s hard 
drive, especially since all but 2 weeks of his emails were preserved. 
What is the current IRS policy with respect to document preserva- 
tion for departing employees, and how long are their emails kept? 

Mr. Killen. Thank you for the question. As I stated a little ear- 
lier, we have essentially a multi-pronged strategy and approach 
that we are taking with respect to email. First and foremost, we 
have implemented the Capstone approach, which is an approach 
that has been developed by National Archives that is focused on 
your role within the organization, because you want to ensure that 
the senior-most officials in an organization who are most likely to 
create records, that those records are preserved. 

And so, about a year ago we implemented that process across 
IRS to ensure that our senior executives all across IRS, that we 
had the appropriate electronic preservation of those emails. And so, 
that has been in place for the last year, and that was really one 
of the significant early pieces of the strategy. 

Ms. Kelly. And how long are they kept? 

Mr. Killen. They will be kept, there are ranges. But for our 
most senior executives, they will be kept permanently. For sort of 
our second tier of executives on down, they will be kept for 15 
years. And that is very consistent with a role-based approach be- 
cause you want to ensure that you have the preservation of 
records, you know, in the most appropriate fashion. 

So the second piece of that strategy related to email is that by 
the end of this calendar year, by December 2016, consistent with 
the directives that we have received from 0MB that applies across 
the government, not just to IRS employees, we will ensure that all 
of our employee email is available in an electronically accessible 
environment. And then we are also taking a variety of other steps 
to shore up our other processes and procedures with regards to 
records retention for separating employees and for, you know, an 
entire gamut of issues that we are working towards. So we are 
making significant progress. 

Ms. Kelly. Okay. What is the IRS doing right now to ensure 
that an instance such the Maruca case does not occur again? 

Mr. Killen. Thank you for that question. So, again, as part of 
sort of the multi-pronged strategy that we have, because, you 
know, the key issue with Mr. Maruca is he separated from the 
Service. 

Ms. Kelly. Right. 

Mr. Killen. And so, we have a process in place now where if an 
employee separates from the Service, we are ensuring that we do 
not wipe the machine. In addition, we are making the copies of the 
machine. So really, you know, our whole approach around records 
management and retention is first and foremost ensuring that we 
follow the relevant guidance and directives that are out there. But 
then secondly, trying to, you know, build in multiple layers of re- 
dundancy so that we do what we can to reduce, you know, the like- 
lihood of the human element where people make mistakes as well. 

Ms. Kelly. So would you look at this as your longer-term solu- 
tion, or do you have other long-term solutions as it relates to hard 
drive inventory management? 
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Mr. Killen. There is a very long-term solution because, you 
know, you can imagine the volume of records, and particularly as 
just in all walks of life, as we move more towards a digital environ- 
ment. And so, you know, our first focus and emphasis is on email. 
We have paper records, as you might imagine, that we do a pretty 
good job of maintaining, but we have improvement opportunities 
there as well. But longer term, you know, there is guidance that 
talks about by 2019 the Federal government should be able to mi- 
grate to a place where all records are stored in that, you know, ac- 
cessible electronic medium. Our focus is initially on email, but that 
will extend to, you know, all of the various avenues of record cre- 
ation towards that 2019 directive. 

Ms. Kelly. And once you get there, this will allow you to answer 
inquiries from Congress faster or FOIA requests? Do you feel like 
you will be faster at that? 

Mr. Killen. It will certainly help. It will certainly help because, 
you know, the first thing is that the documents have to be avail- 
able certainly. But when you get beyond the actual availability of 
the documents, and when you talk in terms of document produc- 
tion, you also need to have the ability to search. And ideally you 
would want to have the ability to do key word searches because 
those are things that allow you to have, you know, very efficient 
document production. 

So my answer to your question is that having the documentation 
retained is a necessary predecessor first step, but there is also the 
need to have the ability to do, you know, adequate search, find, and 
redaction capability. And that will be a separate effort, but it cer- 
tainly is one that we have our eye on as well. 

Ms. Kelly. I am out of time. Thanks. 

Chairman Chaffetz. I thank the gentlewoman. I will now recog- 
nize the distinguished and always dapper gentleman from South 
Carolina, Mr. Gowdy, for 5 minutes. 

Mr. Gowdy. Chairman Chaffetz, I appreciate your leadership on 
this issue as I do Chairman Jordan’s. And for that reason, I would 
like to yield to the gentleman from Ohio, Mr. Jordan. 

Mr. Jordan. I thank the gentleman. Mr. Milholland, who told 
you to issue the May 22nd, 2013 order, or I think “directive” is 
what you called it. 

Mr. Milholland. The email we talked about earlier, sir? 

Mr. Jordan. Preserve all documents. In other words, retain ev- 
erything. That email. 

Mr. Milholland. That was a request that came from Chief 
Counsel’s Office, and the way to do it was to send an email out as 
quick as we could to the people involved dealing with the backup 
tapes and such. 

Mr. Jordan. And when you did that, did you like have just a 
couple people you were sending it to, or was it like send to every- 
one, send all? 

Mr. Milholland. Principally directed to the operations team 
who deal with the backup tape processes and such, but the IT 
staffs all knew about it. 

Mr. Jordan. And the chart that I see, you got five agencies or 
five groupings that answer to Mr. Tribiano. Were the heads of all 
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five of those groupings sent your email plus all your staff, or just 
within your area? 

Mr. Milholland. It was just within IT. 

Mr. Jordan. Okay. Okay. I just want to be clear. And do you 
know if the commissioner at the time, Commissioner Werfel, knew 
about your directive to preserve all documents? 

Mr. Milholland. I am pretty sure he did because this was one 
of the subjects we were talking about, how we were going to protect 


Mr. Jordan. Okay. And then when Mr. Koskinen came on board, 
do you know if he knew about the directive that was in place and, 
as you have testified today, still in place? Did Mr. Koskinen know 
about that, and does he know that it is still in place today? 

Mr. Milholland. I cannot testify to that, but can I add one cor- 
rection to my earlier statement? 

Mr. Jordan. Sure. 

Mr. Milholland. Okay. As I tried to say earlier — I may not have 
been very clear — that was intended to cover backup tapes for email 
and anything to do with anyone’s information that dealt with at- 
tachments, calendars, and such. At the same time, we also were 
not allowing hard drives to go anywhere. We, in fact, locked up all 
of the TEGE employees’ hard drives in a cabinet, so to speak, so 
they would not go anywhere and such. 

During the Windows 7 implementation 2 years ago and such, ba- 
sically because of budgetary problems, we went and asked, hey, if 
we copy all the hard drives we have been saving, can we now reuse 
them so that we can implement Windows 7. And we got permission 
to do that, so in that sense those non-TEGE hard drives were re- 
used. So in that sense, they were rescinded. I hope that is clear. 

Mr. Jordan. I mean, it is not, a lot of the stuff you said there. 
But nowhere in there did you talk about still how the backup 
tapes, which you said your order applied to, were actually ulti- 
mately destroyed. So that did not cover what he just described, at 
least I did not think so. 

Mr. Milholland. No, sir. I responded earlier describing how 
that happened through employee mistakes. 

Mr. Jordan. Okay. Well, we obviously know there were mistakes 
because you gave an order, and it was not followed, and tapes were 
destroyed, and information and data that is important to the inves- 
tigation was lost. I am going to go back to the question I asked you 
in the first round. I want to be clear. So you received a bonus this 
year and last year? 

Mr. Milholland. No, sir. 

Mr. Jordan. You said your pay went up. So it was not a bonus? 

Mr. Milholland. I am capped salary wise. I do not receive a 
bonus. 

Mr. Jordan. How about this management team you referred to 
when I asked, you know, how this could happen that tapes were 
destroyed in light of your order, in light of your directive? Anyone 
on your management team, did they receive a bonus this past 2 
years? 

Mr. Milholland. Yes, sir. 

Mr. Jordan. They did? 

Mr. Milholland. Yes, sir. 
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Mr. Jordan. And do you okay that, or does that go up through 
Mr. Tribiano and then up to the commissioner? 

Mr. Milholland. It certainly comes through me. I believe it goes 
to a committee Mr. Tribiano sits on called the Executive Review 
Board. 

Mr. Jordan. Mr. Tribiano? 

Mr. Tribiano. Yes, sir. It starts at the division head area, so Mr. 
Milholland would gather up performance awards, not bonuses, and 
they would make those recommendations coming forward. I would 
get them. Either I agree or disagree. 

Mr. Jordan. Performance awards. If you get a performance 
award, that results in additional pay? 

Mr. Tribiano. It results in a performance awards, so, yes, sir, 
your pay. Not your pay salary pay, but your cash. 

Mr. Jordan. You get more money. 

Mr. Tribiano. Yes, sir, but it is not on a continuous basis. It is 
a one-time performance award. 

Mr. Jordan. Mr. Milholland said he takes responsibility for the 
fact he was blown away when this happened after his directive. His 
pay is topped out. He cannot go any higher. And the people on his 
management team who were responsible for the directive not being 
carried and for the backup tapes being destroyed all got perform- 
ance pay increases. Is that accurate? 

Mr. Tribiano. I have to ask Mr. Milholland if he put them for- 
ward in that fashion. 

Mr. Milholland. Not all the managers and executives who re- 
port to me got pay increases or bonuses. I do not recall explicitly 
in the chain that led down to where this incident occurred what the 
actuals were. 

Mr. Jordan. But many of them did. 

Chairman Chaffetz. Will the gentleman 

Mr. Milholland. Probably, but I really do not know, sir. 

Mr. Jordan. I would be happy yield back. 

Chairman Chaffetz. The gentleman’s time has expired. Will you 
provide that to this committee, Mr. Milholland? 

Mr. Milholland. If I am allowed to legally. I do not know if I 
am allowed to release personal information. 

Chairman Chafeetz. Well, when the United States Congress 
asks you, you have legal authority to provide that information to 
Congress. There is nothing classified about people’s compensation 
and bonuses. Would you agree? 

Mr. Milholland. Not to me, sir, but I am not a lawyer, so. 

Chairman Chaffetz. Well, there are some positive qualities. I 
appreciate that. That is a real plus in your column. I get it. I am 
asking you all to provide this information to this committee. 

Mr. Milholland. Yes, sir. 

Chairman Chaffetz. Thank you. 

Chairman Chaefetz. I will now recognize the gentlewoman from 
New York, Ms. Maloney, for 5 minutes. 

Ms. Maloney. I thank the gentleman for yielding. And I would 
like to talk about another outage that was treated differently than 
one recently at the IRS, and that was one that many New Yorkers 
were concerned about. It concerned the New York Stock Exchange 
on July 9th of 2015, and a number of my constituents work there 
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and suffered an outage that completely suspended all of financial 
trading for roughly 4 hours. And this committee sent letters to the 
SEC and to the Stock Exchange trying to understand the cir- 
cumstances surrounding the outage. And they briefed our staff in 
July, and they told us that a software problem — it was basically a 
glitch — caused them to go offline in order to respond and to solve 
the problem. 

Now, the Department of Homeland Security in response to ques- 
tioning by this committee reported that there was no suspicious ac- 
tivity, and the FBI saw absolutely no reason for any type of en- 
forcement action. And since the committee received those briefings, 
we saw no reason to hold a public hearing or to hold an investiga- 
tion since everybody involved said that it was merely a glitch. 

Yet we are going after the IRS today for a similar temporary and 
subsequently resolved website outage. And I just feel that there is 
a little bit of an unequal treatment, and I think we should not have 
unequal treatment. I mean, I will not suggest that the New York 
Stock Exchange should come in for a hearing. I am suggesting that 
we should not be having a hearing on a technical outage for any 
organization, and the IRS seems to be getting a little unequal 
treatment on this. 

And I would like to elaborate, Mr. Milholland, to ask you about 
an incident earlier this month when portions of the IRS website 
were shut down for roughly 30 hours. And I understand that some 
members of Congress thought, and questioned, and rightfully so, I 
think, in the world we live in that it was a cyberattack. But the 
IRS briefed our staff earlier this week, and they told us that this 
was definitely not a cyberattack. They told us, in fact, that it was 
just a mechanical hardware failure similar to what happened at 
the Stock Exchange, a glitch, a hardware failure. 

Now, is my description of what happened to the IRS somewhat 
correct? 

Mr. Milholland. Yes, ma’am. 

Ms. Maloney. So this was not a failure of an IRS information 
system, but just the failure of a singular piece of mechanical equip- 
ment, correct? 

Mr. Milholland. That is correct, ma’am. 

Ms. Maloney. And can you describe what sort of hardware we 
are talking about? 

Mr. Milholland. Yes, ma’am. Our Enterprise server is the pri- 
mary engine for processing tax returns. It is made up of various 
components, including a storage subsystem, which has voltage reg- 
ulators in it. Now, while the root cause analysis is still underway, 
it was those voltage regulators that failed. They are mechanical 
components that are under somewhat high stress conditions when 
the computer is operating. And over time, one of the modules that 
held the voltage regulators literally said I’m failing, called for an 
alert to the mechanic — that is, the technician — to come and fix it. 

During the process of attempting to fix the mechanical device, 
the redundant voltage regulator module also failed. Then it took 
time to restore the equipment to its natural state, bring the system 
back up so tax returns could be processed. Total outage time was 
roughly about 30 hours. 
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No software was involved. No micro code. This was with absolute 
certainty not a cyherattack. It was a failure of mechanical device. 
What we are most interested is the root cause analysis as to why 
did the two fail relatively close together. That work is going on. I 
expect to have the root cause analysis, you know, within a week. 
I have a draft root cause analysis now, but it is not done. We have 
working questions with the supplier on this. But no question that 
this was a mechanical failure. 

Ms. Maloney. So mechanical failure, such as what the IRS expe- 
rienced, is not unique to the IRS. It happens to many organiza- 
tions. In fact, there was a highly publicized mechanical failure with 
the New York Stock Exchange which was similar. They went off- 
line for a while to repair it. So I feel that there is a little bit of 
an unfair or unequal treatment, and maybe a little bit of a major 
focus on the IRS and questioning of the IRS for a long time that 
is not the same treatment that other organizations that handle a 
great number of filings experience. So I just wanted to point that 
out. The failures were very similar for the Stock Exchange and the 
IRS of mechanical equipment failure. 

In any event, my time has expired, and thank you for your testi- 
mony today. 

Chairman Chaffetz. Thank the gentlewoman. We will now rec- 
ognize the gentleman from North Carolina, Mr. Walker, for 5 min- 
utes. 

Mr. Walker. Thank you, Mr. Chairman. Thank you. Panel. I ap- 
preciate you being here today. 

I want to go back to something that I heard a little bit earlier. 
First of all, I want to talk about something that Commissioner 
Koskinen has said repeatedly. His quote says, “I believe that the 
underfunding of the Agency is the most critical challenge facing the 
IRS today.” He has made this comment pretty much in several dif- 
ferent speeches whether it is the Tax Policy Conference or other 
places where he is pretty adamant that that is a major issue. 

But something said earlier by one of my colleagues, I want to go 
back talking about the systems that you said that were dating back 
to John F. Kennedy time, I believe was the comment. It was not 
so much the application as it was the system. Would you repeat a 
little bit earlier and go into that for me just a minute? 

Mr. Milholland. Certainly. What they built back in the 1960s 
for implementation in the i970s was a system designed based 
around the technology that was available to them then. 

Mr. Walker. Sure. 

Mr. Milholland. That design still exists. Even though we are 
running the application now with much more modern underpin- 
ning — that is, this Enterprise server that we just discussed with 
the congresswoman 

Mr. Walker. Sure. 

Mr. Milholland. — the actual design of the application is still 
built upon that 1960s approach. 

Mr. Walker. And I appreciate you clearing that up, but that is 
not what Commissioner Koskinen said. What he said in his ploy to 
try to get more funding, more than the $11 billion already, he said, 
“We have many applications that were running when John F. Ken- 
nedy was president.” Is that an untruthful statement? 
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Mr. Milholland. No, I think that is true. The application, indi- 
vidual master file, and the business master file, and a number of 
those other clearly legacy applications, while some of the platforms 
they run on have changed and the code has been updated numer- 
ous times due to legislation, the programming language is still the 
one that we had then. 

Mr. Walker. Well, he seems to be disagreeing with you on the 
code as well because he said, “The code has been out of date so 
long, it has the unintended effect to keep hackers from hacking in.” 
So is that just something he is not technologically current with 
that? I mean, are you running code from John F. Kennedy because 
it seems 50-something years ago we are still running those kinds 
of systems, and we are still operating with that code? Is that cor- 
rect? 

Mr. Milholland. There are elements of the code that exist back 
that far, but the 

Mr. Walker. COBOL? FORTRAN? What are we talking about 
here? 

Mr. Milholland. COBOL, yes. COBOL programming language 
code. Assembly language code is the principle engine. While we 
have modified it numerous times with particularly legislation, the 
fact of the matter is that system was designed and built in the 
1960s to start running in the 1970s. And so, you know, I believe 
that the commissioner is correct. 

Mr. Walker. Okay. Let me transition while I have got some time 
left. I am going to go back to Form 3210 that was filled out author- 
izing the destruction of Mr. Maruca’s hard drive. If so, if that was 
ordered, who authorized the destruction of that hard drive? 

Mr. Milholland. What would have happened would be that — I 
must say “presumed happened” — was whoever was checking out 
Mr. Maruca from the IRS would have called the IT organization, 
filled out a request to say take his IT assets and follow the normal 
disposition procedures. 

Mr. Walker. Did you assume that would have happened? Why 
was Mr. Maruca’s hard drive not covered by the litigation hold the 
IRS put in place? Why did that not cover that? 

Mr. Milholland. At the time, I mean, he had left before that 
particular litigation hold was put into place. 

Mr. Walker. Well, did he take his stuff with him? Did he take 
the information with him? 

Mr. Milholland. It had already been entered into the process 
of disposition. 

Mr. Walker. Well, so what happens when he leaves? When an 
employee leaves, do their records get destroyed like this? I mean, 
what happened? Who made the decision? Who authorized that, to 
destroy what he was working on? 

Mr. Milholland. I am sorry. I really am not understanding your 
question. 

Mr. Walker. His hard drive, okay? 

Mr. Milholland. Pardon me? 

Mr. Walker. Mr. Maruca’s hard drive. 

Mr. Milholland. Yes, sir. 

Mr. Walker. Who destroyed it? Who authorized it? 
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Mr. Milholland. That would have followed the normal IT proc- 
ess of dispositioning of old equipment. And in that sense, the au- 
thorization is the IRS process. 

Mr. Walker. Is there a timeline for how long an employee leaves 
that hard drives are destroyed? Is there a standard on it? 

Mr. Milholland. No, there is not. It follows 

Mr. Walker. So it is up to discretion. 

Mr. Milholland. There is a lot discretion. There are a number 
of steps that are followed as to where it goes. Because we have had 
shortfalls in our staffing, oftentimes machines can sit around be- 
fore they are disposed of They may oftentimes even get so stacked 
up until someone gets to it. 

Mr. Walker. But his did not get stacked up. Mr. Chairman, my 
time has expired. 

Chairman Chaffetz. I thank the gentleman. I recognize the gen- 
tleman from Alabama, Mr. Palmer, for 5 minutes. 

Mr. Palmer. Mr. Chairman, I only have one question. According 
to a September 2015 inspector general report, the IRS spent $139 
million in 4 years on upgrading its workstations from the outdated 
Microsoft XP to Windows 7, but you still missed the Microsoft April 
2014 end of life deadline. I think you understand that using a sup- 
ported version of Windows is critical to securing data. Yet accord- 
ing to a TIGTA report from September 28th, 2015, you have got ap- 
proximately 1,300 workstations that you either cannot locate or you 
confirmed are running an old operating system. 

My question is, where are you on locating those workstations and 
getting them updated? 

Mr. Milholland. I think there are a number of questions in 
your statement, sir, and I will try answering each one. 

Mr. Palmer. Well, just answer the one where you are on the sta- 
tus of locating those workstations and updating the software. 

Mr. Milholland. We got support from Microsoft to go beyond 
the original expiration of XP so we were not taking a risk with 
those particular workstations. Second, we took them off the net- 
work so they would be isolated, and would not, therefore, be pos- 
sible to hack into them through, I will say, anyone having access 
to the network. Where we are with the actual remaining numbers, 
if I recall correctly, we are complete. I would have to double check 
that, sir, if I can get back to you. 

Mr. Palmer. Could you inform the committee where you are on 
that, and I would like to have that answer in 7 days. Can we do 
that? 

Mr. Milholland. Sure. 

Mr. Palmer. Mr. Chairman, I will yield the balance of my time 
to the chair. 

Chairman Chaffetz. I thank the gentleman. Mr. Milholland and 
Mr. Tribiano, it is May 2013. TICTA issues its audit, and you issue 
an internal preservation order that is extensive. It is capped with 
“in other words, retain everything to do with email or information 
that may have been stored locally on a personal computer.” It is 
pretty broad, but also very definitive. Did you ever rescind that 
order? That is a yes or no question. Did you ever reverse that 
order? 
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Mr. Milholland. I changed the order with, as I tried to explain 
earlier with a TEGE situation where we had to start using some 
of the hard drives that we were saving 

Chairman Chaffetz. Can you provide that 

Mr. Milholland. — in order to implement Windows 

Chairman Chaffetz. Can you provide that to this committee? 

Mr. Milholland. Provide which list, sir? 

Chairman Chaffetz. When you rescinded that, send that to this 
committee. Fair enough? 

Mr. Milholland. I will, yes. 

Chairman Chaffetz. Thank you. 

Mr. Milholland. Yes, sir. 

Chairman Chaefetz. Mr. Tribiano, did the IRS ever change that 
or rescind the order that Mr. Milholland put out to preserve? 

Mr. Tribiano. Not to my knowledge, sir. 

Chairman Chaffetz. After the issuance of that audit, did the 
IRS put any new procedures or policies in place regarding the pres- 
ervation of emails, hard drives, or anything to do with people’s 
interaction with the computers? 

Mr. Tribiano. That was during the time period where we ini- 
tially started the Capstone Project, sir. 

Chairman Chafeetz. Okay. You started a project, but was there 
any change to the internal functionality of the preservation of com- 
puters, hardware, emails, that sort of thing? What changed? 

Mr. Tribiano. Sir, I was not there. I would have to go back and 
look at 

Chairman Chaffetz. Mr. Killen, what changed? 

Mr. Killen. So, following those events, again, in late calendar 
year 2014, early calendar 2015, we implemented the Capstone ap- 
proach for our senior-most Agency officials. And so, that 

Chairman Chaffetz. All government records. You do not have to 
be a senior-most official at the IRS to generate a record that needs 
to be in compliance with the Federal Records Act or to be in com- 
pliance with FOIA. I want to know after TIGTA had issued their 
report in May of 2013, what did the IRS do internally to preserve 
and protect the records that they should have been protecting in 
the first place? 

Mr. Killen. Well, Mr. Chairman, I think that does represent a 
fairly substantive change, and 

Chairman Chaffetz. What does? 

Mr. Killen. Well, first of all, implementing the Capstone ap- 
proach, you know. We had significant consultation with the Na- 
tional Archives 

Chairman Chaffetz. Do you feel it was fully implemented? 

Mr. Killen. The Capstone process that we initiated with our 
senior officials, yes, that has been fully implemented. 

Chairman Chaffetz. If the policy is in place, why was Mr. 
Maruca’s information destroyed? 

Mr. Killen. Fair question. It is an issue of timing because we 
implemented the Capstone approach in actually late December 
2014. Mr. Maruca had already left the Service by that point. 

Chairman Chaffetz. So it takes you more than a year and a half 
to implement a new policy. How hard is it to just save a hard 
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drive? I mean, how hard is that? How expensive is that? How much 
does a hard drive cost, do you know? 

Mr. Killen. I will defer to Mr. Milholland on that. 

Chairman Chaffetz. How much is a hard drive? You want two 
gigs. 

Mr. Milholland. $100 to $250, depending on the 

Chairman Chaffetz. Yeah, we are talking about a hundred 
bucks here. You got a $1.7 billion issue with Microsoft, and you all 
went out and destroyed something that is maybe a hundred bucks. 
Mr. Tribiano, you had to issue a new policy in 2016, correct? 

Mr. Tribiano. A new policy was issued in 2016. 

Chairman Chaffetz. What does that policy do? 

Mr. Tribiano. We will not destroy any hard drives or mobile de- 
vices for any departing IRS employees, and we will copy the hard 
drives digitally to a server. 

Chairman Chaffetz. Congress has been investigating the IRS 
since 2011, and you are just now getting the memo to start pre- 
serving things in 2016? Why does it take almost 5 years to get the 
message that you should not be destroying things? Why does it 
take so long? 

Mr. Tribiano. Well, sir, I mean, we have a records retention pol- 
icy — 

Chairman Chaffetz. Yeah, but you did not follow it. You did not 
follow it. Mr. Maruca’s stuff was destroyed, and it should not have 
been. And you are misstating the facts, by the way, because there 
was another case that they actually copied Mr. Maruca’s, and then 
they happened to find that. I mean, I find it totally unbelievable. 
It truly is an unbelievable set of circumstances. 24 to 48 hours 
after this committee issues a bulletin that we are going to have a 
hearing, and then suddenly you find the information? 

And the Department of Justice had gone to the courts and said 
this stuff had been inadvertently destroyed, but then you actually 
did find it. Do you see why we have zero confidence in the record 
retention policy and the ability to execute on it? 

Mr. Tribiano. Well, sir, you said that I misled you, and if that 
is the case, that was not the intent, so I just want to clarify that. 
We did find those records, and we found it because of another liti- 
gation hold. I thought I made that clear in my opening statement. 
It was not because there was some other thing. It was pure coinci- 
dental that we had another litigation, and we 

Chairman Chaffetz. And coincidental and 24 hours after I issue 
a notice that you are going to have to come appear here, suddenly 
you do find them. That is what is unbelievable. You had gone to 
the courts via the Department of Justice and put it on the record 
that you did not have them. That was not true, was it? 

Mr. Tribiano. At that time that, that was true, yes, sir. 

Chairman Chaffetz. It was not true. 

Mr. Tribiano. Well, in hindsight it is not, but at the time that 
we went to them and said we might have an issue, it was true. 
When it was found that we did copy it for another litigation hold, 
we corrected it. We found that there was another litigation hold. 

Chairman Chaffetz. Okay. The gentlemen’s time has expired. I 
now recognize myself or recognize Mr. Carter for 5 minutes. 



42 


Mr. Carter. Thank you, Mr. Chairman. Mr. Milholland, help me 
out here. I am just trying to educate myself. What is the timeline 
between when an employee leaves the IRS and when their hard 
drive is erased? 

Mr. Milholland. Yeah, that timeline can vary from immediate 
to 6 months. 

Mr. Carter. What determines that? What determines the vari- 
ation? 

Mr. Milholland. Where the person is when they leave. For ex- 
ample, if you are in 

Mr. Carter. I mean, what hallway they are in? 

Mr. Milholland. What office they are in. For example, the 
equipment, if it is picked up by IT, has to be shipped to another 
location. But if you are in the D.C. area, for example, it might hap- 
pen very quickly and such. We typically send these devices to a 
particular data center for the degaussing once we separate the 
hard drive from the rest of the PC. 

Mr. Carter. Okay. When was Mr. Maruca’s hard drive erased? 
What day? 

Mr. Milholland. The deputy commissioner can answer the de- 
tails, but 

Mr. Carter. Okay. 

Mr. Tribiano. Well, we do not know the date, and I think that 
is what the problem is. We know we sent it or consolidated it on 
August 5th. We picked it up from the manager. We consolidated it 
with other hard drives and other laptops, and we sent it to our 
Memphis facility. It arrived in 

Mr. Carter. Now, where was Mr. Maruca because you said, Mr. 
Milholland, that it depended on what office he was in. Which office 
was Mr. Maruca in? 

Mr. Tribiano. Go ahead. 

Mr. Milholland. He was in D.C. as I 

Mr. Carter. He was in D.C. So you just said if he is in D.C., it 
ought to be pretty quick. 

Mr. Milholland. It could be depending, again, on the process 
being followed and the staff that we have to do that work. If there 
was an intent that we say, hey, we could reuse this device very 
quickly, then at that point we would separate the hard drive from 
the rest of the platform and put a new hard drive in. 

Mr. Carter. But in the case of Mr. Maruca, you do not know 
what day it was destroyed? 

Mr. Tribiano. No, sir. It was sent down to the Memphis facility, 
and it was stored down there with other laptops and other com- 
puters that were marked for disposal. 

Mr. Carter. Okay. So where it was sent down to, do they have 
a record of it? Can you call them and find out? I mean, surely they 
keep a record to tell you, okay, we destroyed this hard drive this 
day, this one this day. 

Mr. Milholland. No, sir. What we keep a record of is the asset. 
Once we separate the hard drive from the rest of the computer, the 
rest of the computer is sent off for salvage by an outside contractor. 

Mr. Carter. I am not worried about the rest of the computer. 

Mr. Milholland. Yeah, you are saying 
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Mr. Carter. I am worried about what gets erased. It would just 
occur to me or it would appear to me that you would have a day 
on there, somebody would keep a day that said that this is the day 
it was erased. 

Mr. Milholland. Not necessarily, sir, because we do not view it 
as a major asset at that point. Its disposition, we have flagged for 
destruction. It is sent into the system. Okay, this 

Mr. Carter. Do you ever consider it to be an asset, an important 
asset? 

Mr. Milholland. Once it is flagged for disposition to be de- 
stroyed, no. 

Mr. Carter. Okay. And this is even after we have had the expe- 
rience with Ms. Lerner and with her hard drive being destroyed 
and being wiped out. Even after that we still do not have in place 
when exactly we destroyed it. We still do not know. So you are tell- 
ing me that is a matter of policy? 

Mr. Milholland. It is a matter of the workload and the re- 
sources we have to do that task. 

Mr. Carter. The workload and the resources. 

Mr. Milholland. Yes, sir. 

Mr. Carter. So everything is determined by the workload and 
the resources, not by its importance. 

Mr. Milholland. Well, the importance is that we had already 
decided that this particular drive could be, in fact, be destroyed. At 
that point it is deemed worthless, so it is stacked up with other 
hard drives. 

Mr. Carter. I just find it to be a very poor excuse about re- 
sources. I mean, it would seem to me like that you would have 
been really on your toes, especially in light of what has happened 
in the past. It would seem to me that you would want to absolutely 
know when a hard drive was destroyed or wiped out. I mean, you 
see where I am going here. 

I am just getting the impression from where I am sitting, it looks 
like the IRS is just taking the attitude, hey, we are above the law 
here. I mean, that is what it looks like to me, and I can imagine 
what it looks to a regular citizen who is being audited by the IRS. 
It is really confounding to me that we do not keep better records 
than this. It would appear to me the IRS, in light of everything 
that has happened in the way of hard drives being wiped out, that 
your policy would be better and that you would be keeping better 
records. So you can understand why the general public thinks, 
well, they think they are above the law here. 

I am just flabbergasted by this. Mr. Chairman, I do not know 
what to say except that I hope that you will take it as a lesson and 
understand that, you know, there are people out there who are 
being audited by the IRS who feel like they are being targeted, feel 
like they are being treated unfairly, and feel like the IRS thinks 
they are above the law. And in instances like this, you can under- 
stand why they feel that way. This is unacceptable. 

Mr. Chairman, I yield back. 

Chairman Chaffetz. I thank the gentleman. Myself and Mr. Jor- 
dan have just a couple of other questions, and we are going to wrap 
up the hearing. And members are advised we have votes on the 
floor soon. 
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Since when has the IRS preserved all of its internal emails? 
When did they start to do that? 

Mr. Killen. So our internal email, again, there are nuances to 
it. So 

Chairman Chaffetz. You are either saving them all or not. Do 
you save all the emails? 

Mr. Killen. All our internal emails — all — are not being saved, 
but we have the plan in place in order to get there. All of our 
emails for our senior-most officials are saved. We have actually had 
substantial interaction with NARA, so I do want to get this point 
across that NARA 

Chairman Chaffetz. Hold on. I want to get to this point. You 
still to this day do not preserve all of the IRS emails internally. 
You do not save those. 

Mr. Milholland. May I answer that question, Mr. Chairman? 

Chairman Chaffetz. Yeah. 

Mr. Milholland. The answer is we save them on our backup 
tapes and have since that original email that Representative Jor- 
dan was referring to. 

Chairman Chaffetz. Then why did Mr. Killen just tell me that 
we do not do that? 

Mr. Milholland. I think he was referring to all the 

Chairman Chaffetz. No, no. He can tell you what he is referring 
to. 

Mr. Milholland. I am sorry, sir. 

Chairman Chaffetz. Mr. Killen, you just told me that they do 
not preserve all the emails. 

Mr. Killen. I think there is a distinction between what we have 
preserved on the network and what we have preserved via backup 
and disaster recovery process. And I think that is the distinction 
that Mr. Milholland was going to make. 

With respect to, because I do want to be clear about this point. 
The directive that we are under is that all email should be in an 
electronically accessible format by the end of calendar year 2016. 
That is the plan that we have implemented. That is the plan that 
we are on a trajectory to meet. But in the interim, and, again, this 
has all been a process that we have worked with NARA on. In the 
interim, our senior-most Agency officials’ emails are being pre- 
served, and that is sort of, I talked about this multi-pronged ap- 
proach that we have implemented. That is 

Chairman Chaffetz. Is there anything, Mr. Milholland, that you 
would disagree with that he just said? 

Mr. Milholland. No, sir. We are going to be NARA compliant. 

Chairman Chaffetz. Here is the problem, okay? Here is the 
problem with the testimony. This is testimony from John Koskinen 
of June 23rd, 2014, and here is what he says: “I would note, how- 
ever, since the investigations into the application process for 
501(c)(4) organizations began in May of last year, the IRS” — here 
it is — “the IRS has saved backup tapes for all emails on the IRS’ 
servers, which includes tapes for the 6 months preceding May of 
2013.” And you are telling me that is not true, and that is why we 
keep coming after the IRS, and that is why we are not going to let 
go of this. 

I recognize the gentleman from Ohio. 
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Mr. Milholland. Sir, could I make one statement, please? 

Chairman Chaffetz. The gentleman from Ohio. 

Mr. Jordan. If I could, Mr. Chairman, this will he my third time, 
and the right fine gentleman from North Carolina has not went. I 
just have two questions anyway, Mr. Chairman. 

Mr. Meadows. I will yield to the gentleman from Ohio for two 
questions, and then take up the balance. How about that? 

Mr. Jordan. Okay. So, Mr. Milholland, on March 4th when you 
discovered the tapes are destroyed, March 4th, 2014, the backup 
tapes are destroyed. You testified in the TIGTA investigation that 
you were blown away by the fact that your directive was not fol- 
lowed. What did you do then? And I guess specifically what I am 
asking is, did you have any conversations with your direct report, 
Mr. Tribiano’s office, or the person who runs Mr. Tribiano’s office, 
and/or Mr. Koskinen? 

Mr. Milholland. At that particular time, the TIGTA investiga- 
tion was still going on, so I was not allowed to talk about the con- 
versation I had with TIGTA until after the report was released. 

Mr. Jordan. Okay. So when you learned that the tapes had been 
destroyed, your directive was not followed, you had no conversation 
with the commissioner? 

Mr. Milholland. No. 

Mr. Jordan. Subsequent to when it became public, have you had 
conversations with the commissioner? 

Mr. Milholland. Yes, sir. 

Mr. Jordan. About this specific issue. 

Mr. Milholland. The general conversation around backup tapes, 
yes, sir, and that is what I was trying to correct earlier. We have 
retained backup tapes for indefinitely since that email was issued. 
Those are off of the exchange system, which is the primary email 
system of the Enterprise. 

Mr. Jordan. I get that, but I am asking more specific. Did you 
have a conversation with Mr. Koskinen and say, look, I gave a di- 
rective. It was not followed. 422 backup tapes were destroyed. We 
no longer have those records at all. Did you have that conversation 
with Mr. Koskinen? 

Mr. Milholland. No, I did not specifically. 

Mr. Jordan. Okay. One final one here. In your opening state- 
ment, this is Mr. Maruca’s situation. His hard drive was des- 
ignated for erasure before the issuance of the litigation hold. Is 
that right? 

Mr. Tribiano. Yes, sir. 

Mr. Jordan. Okay. Yet you said later that his data was, in fact, 
though, backed up because you had another litigation hold. 

Mr. Tribiano. Yes, sir. 

Mr. Jordan. So why didn’t the previous litigation hold prevent 
you from destroying the hard drive? 

Mr. Tribiano. Because the data was backed up, and it was sent 
to the digital. What happens is when the attorneys request the in- 
formation, it goes into their — I might be calling it the wrong 
thing — their e-Discovery system where they can access the data 
and do whatever they need to do for discovery purposes. 
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Mr. Jordan. And just to be clear, a litigation hold does not trig- 
ger preservation of hard drives. That only triggers it goes to a 
backup? 

Mr. Tribiano. No, sir. It preserves the records for use in the liti- 
gation. 

Mr. Jordan. And the best record would be the hard drive, not 
the backup. But under this situation, you did not do that. 

Mr. Tribiano. The records are what was on the hard drive and 
backed up at that point in time. 

Chairman Chaffetz. Will the gentleman yield? 

Mr. Jordan. Sure. 

Chairman Chaffetz. Then why did the Department of Justice on 
behalf of the IRS go to the court and say these records had been 
destroyed? 

Mr. Tribiano. Because at that time that we notified the Depart- 
ment of Justice, we did not know that we had the backup of that 
hard drive for that other litigation. So we told the Department of 
Justice that we did not have the hard drive. 

Chairman Chaffetz. And you have no records of what you de- 
stroy and when you destroy it, correct? 

Mr. Tribiano. That is correct. What we know is that on 10/27, 
it was received in Memphis, and between that period and the pe- 
riod of April 16th, I believe, when the shell of the computer was 
delivered to the third party vendor, it was during that time period. 

Chairman Chaffetz. How convenient. You have no records of 
what is destroyed and when, and yet you require every American 
to keep all their records. That is what so fundamentally wrong and 
screwed up with the IRS. That is just wrong. And there a lot of 
good people that work at the IRS, but you know what? You go after 
Americans, but you do not take care of business at the IRS. It is 
just wrong. It is just wrong. 

And it causes mess. We are talking about a $1.7 billion case, and 
you guys cannot keep track of what you destroy and when you de- 
stroy it. How hard is it to put a log in there, “destroyed this one 
at this time?” How long does that take? I mean, you can go to Best 
Buy and buy something off the shelf for like 50 bucks. I just do not 
understand that. Do you have an answer for that? 

Mr. Tribiano. I do not think it would be that difficult, sir. 

Chairman Chaffetz. Then why is it not done? 

Mr. Tribiano. I can turn that over to the Mr. Milholland who 
runs the IT shop and runs those procedures, and ask what that 
would mean from a staffing perspective and from a documentation 
perspective. But I think what Mr. Milholland alluded to was that 
it is an asset, and it is kept into the assets, and it is kept into the 
system up to the point where it is marked for disposal. And at that 
point it stops. 

Chairman Chafeetz. I yield back to the gentleman from North 
Carolina. 

Mr. Meadows. Thank you, Mr. Chairman. Mr. Milholland, let me 
tell you the issue that most Americans have with this. Storage is 
cheap. I mean, we have gotten to a point where even storage of mil- 
lions of records is really cheap. We have gotten to a situation 
where it would have been so much easier when the first hearing 
happened, not 24 hearings later, but the first hearing, to say, you 
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know what? Gosh, we are going to have this prohlem. We had bet- 
ter preserve everything. What precluded you from doing that, from 
preserving everything at that point? When Lois Lerner first came 
in here and took the 5th, what stopped you from saying let us just 
preserve everything? 

Mr. Milholland. I cannot recall the subject ever coming up, sir. 

Mr. Meadows. Now, you cannot recall the subject coming up. It 
was in the headlines, I mean, almost every major newspaper, and 
the subject did not come up about keeping it? And yet your testi- 
mony today says that you are NARA compliant. Would you care to 
revise your statement, because I do not believe that you are NARA 
compliant at this point. Having the National Archives underneath 
my subcommittee, I would probably beg to differ with that. So 
would you like to revise your 

Mr. Milholland. I would ask that Mr. Killen to respond to 
whether or not we are NARA compliant since that is his area of 
expertise. 

Mr. Meadows. All right. So are you NARA compliant? 

Mr. Killen. We are generally NARA compliant. 

Mr. Meadows. No, there is a “yes” or “no.” “Generally” is if I am 
speeding and I generally go below the speed limit I do not get a 
ticket. But only those couple of times that I go beyond the speed 
limit I actually do get a speed limit ticket. Tell me, are you compli- 
ant or not? 

Mr. Killen. Well, I have to speak to the wording of the report, 
I mean, because we have had NARA reviews. And so, certainly we 
have opportunities for improvement, and 

Mr. Meadows. Then you are not NARA compliant. 

Mr. Killen. But on the whole, NARA has opined that we are 
generally 

Mr. Meadows. You are making progress I think is what they are 
saying. 

Mr. Killen. We are certainly making progress, and we have op- 
portunities — 

Mr. Meadows. But today you are not NARA compliant, which 
means that all communication would be preserved, would it not? 

Mr. Killen. We certainly have work to do. 

Mr. Meadows. Okay. So if you have work to do, then you can re- 
vise your statement that you are NARA compliant because obvi- 
ously you are not. 

Mr. Milholland. In that sense, you are correct, sir. 

Mr. Meadows. All right. So let me go a little bit further, and I 
am going to piggyback on what the chairman talked about. Mr. 
Killen, why is it taking so long? I mean, why is this taking so long 
for us to get it right? Why December of 2016? 

Mr. Killen. Well, I think that the 2016 date is predicated on the 
0MB directive. That does not extend to just IRS. 

Mr. Meadows. So it is OMB’s fault. 

Mr. Killen. No, no, it is not an issue of fault. It is an issue of 
what is the origin of the December 2016 date. And the origin of 
that December 2016 date is the 0MB directive that says that all 
Federal agencies should have email in an electronically accessible 
format. 
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Mr. Meadows. So it would not have anything to do with the 
change of Administration. 

Mr. Killen. I could not speak on that. I do not 

Mr. Meadows. Well, do you not find it curious that December 
2016 and Administration change would happen within 20 days of 
that date? 

Mr. Killen. I really cannot speak on that. 

Mr. Meadows. Okay. All right. So let me go on a little bit further 
because part of this whole hearing process has been other types of 
communications. And you all have been very careful to say “email 
communications,” but there are a number of other electronic com- 
munications that go on the system and go back and forth. Is that 
correct, Mr. Milholland? 

Mr. Milholland. Are you referring to instant messaging, sir? 

Mr. Meadows. Yeah. I mean, do you not have substantial com- 
munications among some senior-level people at the IRS that hap- 
pens outside of email? 

Mr. Milholland. Yes, sir. There are obviously phones. There are 


Mr. Meadows. Okay. How about on text messages or instant 
messaging? 

Mr. Milholland. Actually I do not actually 

Mr. Meadows. You do not. Does anybody there use instant mes- 
saging? 

Mr. Tribiano. I do not, sir. It is on our system. 

Mr. Meadows. Yeah. You know, our gray hair probably throws 
this away, but I will go to the end. Mr. Killen, I am sure you do, 
do you not? 

Mr. Killen. I certainly do. 

Mr. Meadows. I figured you would, so it may be a general thing. 
But, Mr. Killen, do you use that instant messaging to do anything 
more than “is it time to go to lunch or a coffee break?” I mean, do 
you conduct business on instant messaging? 

Mr. Killen. Generally speaking, I do try to be careful about 
what I 

Mr. Meadows. Has there ever been a case where you have used 
instant messaging for business? 

Mr. Killen. I am sure there probably has been. 

Mr. Meadows. Yeah. And so, here is the issue, Mr. Milholland, 
and I am going to finish with this. Storage has become cheap. 
Backup tapes are becoming a thing of the past. I remember backup 
tapes, and I do not understand why with the amount of money that 
we are spending that we are still using backup tapes, unless they 
are just such legacy programs that we have to use the backup 
tapes for storage. 

We are committed to providing the resources. What we have not 
seen is the commitment to really get serious about preserving ev- 
erything like Commissioner Koskinen has said he would do. And 
until we see that, we are going to take issue. Does that make 
sense? 

Mr. Milholland. I understand you, sir. 

Mr. Meadows. All right. I will yield back. 

Chairman Chafeetz. I thank the gentleman. The committee 
stands adjourned. 



49 


[Whereupon, at 3:18 p.m. the committee was adjourned.] 
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DEPARTMENT OF THE TREASURY 

INTERNAL REVENUE SERVICE 
WASHINGTON. D.C. 20224 


The Honorable Jason Chaffetz 
The Honorable Elijah Cummings 
Committee on Oversight and 
Government Reform 
U.S. House of Representatives 
Washington. DC 20515 

Dear Chairman Chaffetz and Ranking Member Cummings: 

Thank you for the recent opportunity to appear before your Committee and testify on 
our legal obligations, document preservation, and data security practices and policies 
along with my colleagues, the IRS Chief Information Officer Terence Milholland and 
Edward Killen, Director of our Privacy, Government Liaison & Disclosure office. 

Many of the Committee's questions at the hearing pertained to our notice to a federal 
district court in connection with pending litigation that we inadvertently erased a former 
employee’s hard drive that contained data pertinent to the litigation. Although we were 
not certain at that time whether the e-mails that were the subject of the litigation hold 
were permanently irretrievable, we promptly made this disclosure to the court in the 
interest of transparency. Shortly thereafter, we located an earlier collection from the 
former employee's hard drive that contained nearly all of the employee’s e-mails that 
were saved to the hard drive.’ In addition, as we have advised your staff, we recently 
Identified a hard drive used by that employee, which appears to contain all of the 
employee’s e-mails that were saved to the hard drive.^ In sum, based on what we know 
at this time, there does not appear to be any data lost from this former employee’s hard 
drive. Of course, if we discover otherwise, we wili promptly advise the district court. 

During the hearing, there were several exchanges in which we committed to provide 
additional information. I discuss these each in turn below. 


’ With respect to the earlier collection, we previously indicated the data stored on the 
former employee’s hard drive was copied on July 16, 2014. To be precise, the data was 
collected on July 10, 2016, and the encryption certificates required to access the data 
were collected on July 16, 2014. 

^ Apparently, the erased hard drive referenced above was identified in error. It does 
not, in fact, appear to have been used by the former employee in question. 
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First. Chairman Chaffetz and Representative Norton asked us to provide information 
about the now-expired Streamlined Critical Pay (SCP) authority. Enclosed please find 
an explanation of SCP and how it is different from OPM's Critical Position Pay (CPP). 
The SCP authority allows for a flexible recruitment and hiring process, which was the 
primary benefit of that authority. CPP, on the other hand, requires additional levels of 
approval that slow down the hiring process substantially. The enclosed explanation 
highlights how SCP is significantly more useful for the IRS than OPM’s CPP. 

Second, Chairman Chaffetz asked how IRS internal preservation orders work. The 
response to this question, entitled "Internal Preservation,” is enclosed. The response 
references Chief Counsel Notice 2016-005, which is also enclosed. 

Third, Chairman Chaffetz asked what documents the IRS retains and for how long. IRS 
employees maintain and use records for the organization's mission-critical work in 
accordance with over 2,000 National Archives and Records Administration (NARA)- 
approved records disposition authorities published in Document 12990 (enclosed), at 
IRS Records Control Schedules (RCS) 8 through 37. Temporary dispositions range 
from “destroy when no longer needed” (that is, minimal one-day retention) to “destroy 
after 75 years” based on business need. Under limited circumstances, we appraise 
some records as permanent and transfer them to NARA after they have met our 
business need. 

One of our primary recordkeeping responsibilities concerns individual and corporate tax 
return files. Individual return files (including related correspondence, audit reports, work 
papers, and other documents attached to the return or considered a part of the 
administrative file) are scheduled as seven-year records under RCS 29, item 56. 
Corporate return files (including related work papers, forms, schedules, and exhibits) 
are 50-year records under RCS 29, item 58. 

In its Records Management Inspection Report for the Department of the Treasury and 
the Internal Revenue Service dated June 30, 2015, NARA stated the IRS Records and 
information Management Program “was sufficiently compliant with the statutes and 
regulations” covered by the inspection. Consistent with NARA requirements for ail 
federal agencies, we also maintain personnel, administrative, and other housekeeping 
records in accordance with NARA’s General Records Schedules (GRS). We publish the 
GRS in IRS Document 12829 (enclosed). 

Fourth, Chairman Chaffetz asked when the order to “retain everything to do with e-mail 
or information that may have been stored locally on a personal computer” was 
rescinded or modified. 

The order Chairman Chaffetz referenced was the Chief Information Officer’s instruction, 
delivered by e-mail dated May 22, 2013, “to retain everything to do with email or 
information that may have been stored locally on a personal computer," in light of the 
investigations then recently initiated regarding IRC section 501(c)(4) applications for 
tax-exempt status. The CIO modified this order on June 25, 201 3, in conjunction with 
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the Deputy Commissioner, Operations Support, and upon consultation with the Office of 
Chief Counsel. This modification was to exclude hard drives for employees who were 
not in any way related to the matters then under investigation. The reason for resuming 
the routine wiping of non-investigation related hard drives was to accommodate the 
agency’s need to reuse hard drives to meet our business and operational needs. The 
May 22, 201 3 order remained in full effect for disaster recovery tapes. 

As of January 14, 2016, we have re-instituted a halt, agency-wide, to the erasure and 
recycling of all employee devices, including hard drives, indefinitely. 

Fifth, Chairman Chaffetz and Congressman Connolly asked us to provide a copy of the 
technology road map (including costs), as well as more information on the IRS Future 
State Vision. Enclosed please find the following documents: 

• IRS Technology Roadmap 

• Building a Bridge to the Future of Taxpayer Service at the IRS 

In addition, per your staff's request, we have provided a briefing on the IRS Future 
State. We are happy to provide additional information on this matter if requested. 

At this stage, we do not yet have a finalized cost estimate for fully implementing the 
multi-year IRS Technology Roadmap. When we finalize the estimate, we will gladly 
provide it to you. 

Sixth, Congressman Walberg asked about the means by which the IRS can prevent 
data breaches that may take place either online or in person. We are committed to the 
security and privacy of taxpayer information and manage the security risks in IT 
infrastructure as required by the Federal Information Security Management Act 
(FISMA), National Institute of Standards and Technology (NIST) guidance, and other 
appropriate standards. The IRS Cybersecurity Program is designed to provide proactive 
defense in depth and breadth by implementing world-class security practices in 
planning, implementation, management, and operations involving people, processes, 
and technologies. 

Many of the specific techniques we use to prevent data breaches would be vulnerable 
to exploitation by criminals if we were to disclose them. However, I can tell you that we 
take the following steps to safeguard taxpayer data: 

• We provide our employees with mandatory cybersecurity and IT security training, 
as appropriate. 

• The IRS Information Security Continuous Monitoring (ISCM) program manages 
information security risk on a continuous basis, monitoring security controls in 
IRS information systems and the environments in which those systems operate 
on an ongoing basis and maintaining ongoing awareness of information security, 
vulnerabilities, and threats to support organizational risk management decisions. 
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• We aggressively protect taxpayer data by applying layered security technologies, 
including: 

o Encryption of taxpayer data for any transmission externally 

o Internet proxy systems for all external web and email communications with 
SSL/TLS inspection, required user authentication, content filtering, URL 
inspection and reputation enforcement, media type restriction, vendor and 
custom category blocking, application filtering, and foreign country code 
top level domain blocking 

o Multiple levels and types of firewalls with strict content filtering firewall 
policies 

o Network security monitoring 

o Network and host-based intrusion detection/prevention with custom 
signatures 

o Antivirus at perimeter web and email gateways and endpoints 

o Custom tools and scripts for detection of advanced persistent threats, 
emerging threats, and restricting internet access to prevent Internet 
misuse 

o Implementation of key initiatives including configuration management and 
vulnerability management tools 

o implementation of data loss prevention technologies to prevent losses of 
both Personally Identifiable Information and Sensitive but Unclassified 
information (for example, passwords) 

Seventh, Congressman Jordan asked whether certain IT managers received bonuses 
in the past two years. As part of our investment in our workforce, we recognize 
qualifying employees who do exceptional work. Performance awards are a necessary 
incentive to motivate the workforce and to retain highly qualified employees who are 
important to the achievement of our mission. In that regard, I firmly believe that 
appropriate performance awards provide the agency and taxpayers with a good return 
on the dollar. This investment ensures that highly qualified employees have an incentive 
to stay with the agency and to perform at a high level. 

To be clear, we do not issue awards to employees that have engaged in 
misconduct. And, all in all, only about 50-60 percent of the entire IRS workforce will 
receive a performance award. 

In response to this request, enclosed please find a document entitled “Performance 
Awards," which lists the IT employees discussed and identifies whether those 
individuals received bonuses in each of the last two years. Please note that with regard 
to the employees that Congressman Jordan referenced. Treasury Inspector General for 
Tax Administration (TIGTA) and Department of Justice (DOJ) investigators did not find 
misconduct. TIGTA and DOJ agreed there was no intention on the part of any IRS 
employee to either destroy documents or to interfere in any way with the then-pending 
investigations. 
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I hope this informatfon is helpful. If you have questions, please contact Leonard Oursler, 
Director, Legislative Affairs, at (202) 317-6985. 


Sincerely, 



Jeffrey J. Triblano 


Enclosures (8) 

cc: The Honorable Eleanor Holmes Norton 
The Honorable Gerald Connolly 
The Honorable Tim Walberg 
The Honorable Jim Jordan 


o 



